Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-47179— Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane

CVSS 7.7 · High

Affected Version Matrix 1

VendorProductVersion RangeStatus
getarcaneapparcane< 1.19.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47179

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane
Source: NVD (National Vulnerability Database)
Vulnerability Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
getarcaneapparcane < 1.19.4 -

II. Public POCs for CVE-2026-47179

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47179

登录查看更多情报信息。

Patches & Fixes for CVE-2026-47179 (1)

Vendor Advisories for CVE-2026-47179 (1)

Same Patch Batch · getarcaneapp · 2026-05-29 · 5 CVEs total

CVE-2026-456259.9 CRITICALArcane: Missing admin authorization on git repository endpoints allows non-admin users to
CVE-2026-471258.8 HIGHArcane: Missing admin authorization on global variables endpoint
CVE-2026-456278.2 HIGHArcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enab
CVE-2026-456266.3 MEDIUMArcane: OS Command Injection in Volume Browser ListDirectory via path query parameter

IV. Related Vulnerabilities

Same product: arcane
Same vendor: getarcaneapp
Same weakness: CWE-22

V. Comments for CVE-2026-47179

No comments yet

Leave a comment