Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.
Published: 2026-05-29
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can create a project in Arcane that includes a Docker Compose file containing the directive include:['../../../../etc/passwd']. The ProjectService.GetProjectFileContent method returns the contents of these include files before performing any path‑traversal validation, allowing the attacker to read arbitrary files that are readable by the Arcane backend process. The user can access sensitive files such as /app/data/arcane.db, which stores user password hashes and API keys, and can also read other system files. This data breach could be leveraged for privilege escalation and remote code execution on the host via Arcane's Docker control plane.

Affected Systems

Arcane (getarcaneapp:arcane) software versions prior to 1.19.4 are vulnerable. Version 1.19.4 and later contain the fix that validates include paths before reading the file.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authentication to create a project. Once authenticated, an attacker can choose arbitrary include paths, read any file accessible to the backend process, and potentially elevate privileges or execute code on the host. The risk is substantial for systems where Arcane is exposed to untrusted users.

Generated by OpenCVE AI on May 29, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arcane to version 1.19.4 or later, which validates include paths and blocks the vulnerable behavior.
  • If an upgrade is not immediately possible, restrict or disable the use of Docker Compose include directives for all users by blocking include paths that contain '..' or absolute references.
  • Enforce least privilege by ensuring only trusted users can create projects, and monitor account activity for suspicious include path usage.

Generated by OpenCVE AI on May 29, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c3px-h233-h6fq Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives
History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.
Title Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:46:26.827Z

Reserved: 2026-05-18T21:25:34.498Z

Link: CVE-2026-47179

cve-icon Vulnrichment

Updated: 2026-06-02T15:44:14.411Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:12.500

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-47179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')