CVE-2026-45626 | Arcane is an interface for managing Docker containers, image… | CVSS 6.3 MEDIUM

Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.

Metadata

CVE ID: CVE-2026-45626
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 20:31 UTC
Published: 2026-05-29 17:10 UTC
Last updated: 2026-06-01 22:35 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: getarcaneapp / arcane
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
getarcaneapp	arcane	—	<= 1.18.1

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (1)

https://github.com/getarcaneapp/arcane/security/advisories/GHSA-9mvm-4gwg-v8mp https://github.com/getarcaneapp/arcane/security/advisories/GHSA-9mvm-4gwg-v8mp