Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
Published: 2026-05-29
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arcane, an interface for managing Docker resources, has a flaw in versions 1.18.1 and earlier where the GET /environments/{id}/volumes/{volumeName}/browse endpoint accepts a path query parameter that is passed directly to a shell command inside a helper container. The sanitisation routine only blocks directory traversal but fails to strip Bourne‑shell metacharacters such as $(), backticks, and other substitution sequences; strconv.Quote escapes Go string characters but not shell substitution. As a result, any authenticated user who can browse a volume can inject and execute arbitrary shell commands inside the helper container. Command output is returned in the 500 error body, thereby exposing the execution results to the attacker. This vulnerability is a classic Operating System Command Injection (CWE‑78). The impact is the potential compromise of the helper container’s execution environment, which may allow further lateral movement or exacerbate container scenarios. The flaw does not grant direct host access but does provide a foothold for executing destructive or exfiltrating commands within the container sandbox. The attack model requires an authenticated user with volume access privileges. The attacker must be able to send requests to the vulnerable endpoint. The path parameter is the only vector; no additional user interaction is needed. The vulnerability is limited to applications using the pre‑1.18.1 release of Arcane.

Affected Systems

The affected product is Arcane by getarcaneapp. Version 1.18.1 and all earlier releases are impacted. No specific patch version is listed in the advisory; the advisory recommends updating to a newer release that removes the vulnerable helper container logic.

Risk and Exploitability

The CVSS base score is 6.3, which indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. Given the lack of known exploitation activity and the need for authenticated access, the likelihood of exploitation is moderate but not negligible. The attack involves straightforward command injection via the path query, a well‑understood technique, implying that an attacker with knowledge of the endpoint could exploit it with relative ease. In the absence of a publicly available exploit, defenders should consider the risk to be significant for systems that expose this endpoint to users with volume access.

Generated by OpenCVE AI on May 29, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arcane to the latest version that removes the vulnerable helper container logic.
  • Restrict or disable the /environments/{id}/volumes/{volumeName}/browse endpoint for unprivileged or unauthenticated users.
  • Implement strict input validation on the path query parameter to reject any shell metacharacters such as $, backticks, and parentheses.
  • Configure the helper container to run without a shell or with the minimal set of privileges required for file listing operations.

Generated by OpenCVE AI on May 29, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9mvm-4gwg-v8mp Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
History

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
Title Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T22:35:13.407Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45626

cve-icon Vulnrichment

Updated: 2026-06-01T22:35:07.795Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.483

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:00:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')