PatchSiren cyber security CVE debrief
CVE-2026-47179 getarcaneapp CVE debrief
Arcane is a Docker management interface. Prior to version 1.19.4, the application fails to validate path-traversal sequences in Docker Compose include directives before returning file contents through the ProjectService.GetProjectFileContent API. An authenticated attacker can create a project with a malicious compose file containing an include directive referencing arbitrary filesystem paths (e.g., ../../../../etc/passwd), then retrieve the contents of any file readable by the Arcane backend process. This includes sensitive files such as /app/data/arcane.db, which contains password hashes and API keys for all users. Successful exploitation enables privilege escalation to administrative access and, through Arcane's Docker control plane, remote code execution on the host system. The vulnerability was disclosed on May 29, 2026 and is fixed in Arcane version 1.19.4.
- Vendor
- getarcaneapp
- Product
- arcane
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Arcane Docker management interface versions prior to 1.19.4; security teams monitoring container orchestration platforms; incident responders investigating potential credential compromise in Arcane deployments
Technical summary
The vulnerability exists in ProjectService.GetProjectFileContent, which returns contents of Docker Compose include directives before path-traversal validation executes. ProjectService.CreateProject writes attacker-controlled compose content without validating include paths. An authenticated user can chain these weaknesses to read arbitrary files, extract credential material from the SQLite database, escalate to admin privileges, and achieve host RCE via Docker control plane access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Arcane to version 1.19.4 or later to remediate this vulnerability
- Review Arcane project creation logs for suspicious compose files with include directives referencing paths outside the project directory
- Rotate all Arcane user credentials and API keys if compromise is suspected
- Audit file system permissions to ensure the Arcane backend process has minimal necessary access
- Implement network segmentation to limit Arcane's Docker control plane access to production hosts
- Monitor for anomalous Docker container or image operations that may indicate post-exploitation activity
Evidence notes
Vulnerability description sourced from official CVE record and GitHub Security Advisory. CVSS 3.1 score 7.7 (HIGH) per NVD. Fix commit and advisory confirmed via [email protected] source.
Official resources
2026-05-29