← back
CVE-2026-45626

Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter

CVSS 6.3 MEDIUMEPSS 0.2%CWE-78
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
getarcaneapp · arcane

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →