Description
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
Published: 2026-01-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Arcane, a Docker management tool, contains a command injection flaw in its updater service. The vulnerability allows a malicious command to be injected via lifecycle labels that are executed with /bin/sh -c without sanitization. This flaw can lead to execution of arbitrary code inside the container during an update operation.

Affected Systems

GetArcaneApp Arcane version 1.12.x and earlier are affected. The issue was resolved in version 1.13.0.

Risk and Exploitability

The CVSS score is 9.1, indicating critical severity. The EPSS score is below 1%, suggesting low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated API user to create a project with the malicious lifecycle label; an administrator then triggers the container update, at which point the injected command executes inside the target container. The attack vector is therefore an authenticated, privileged operation, but the impact is full remote code execution within the container environment.

Generated by OpenCVE AI on April 18, 2026 at 06:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Arcane to version 1.13.0 or later
  • Restrict API project creation to administrators or disable lifecycle labels
  • Audit existing deployments for malicious lifecycle labels and remove or neutralize them

Generated by OpenCVE AI on April 18, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjqq-6r35-w3r8 Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE
History

Thu, 05 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Arcane
Arcane arcane
CPEs cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*
Vendors & Products Arcane
Arcane arcane

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
Title Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Arcane Arcane
Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:58:45.182Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23520

cve-icon Vulnrichment

Updated: 2026-01-15T19:58:41.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T20:16:05.467

Modified: 2026-02-05T21:37:01.000

Link: CVE-2026-23520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses