{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23520", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.980Z", "datePublished": "2026-01-15T19:20:22.434Z", "dateUpdated": "2026-01-15T19:58:45.182Z"}, "containers": {"cna": {"title": "Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8"}, {"name": "https://github.com/getarcaneapp/arcane/pull/1468", "tags": ["x_refsource_MISC"], "url": "https://github.com/getarcaneapp/arcane/pull/1468"}, {"name": "https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4"}, {"name": "https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0"}], "affected": [{"vendor": "getarcaneapp", "product": "arcane", "versions": [{"version": "< 1.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:20:22.434Z"}, "descriptions": [{"lang": "en", "value": "Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane\u2019s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0."}], "source": {"advisory": "GHSA-gjqq-6r35-w3r8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:58:38.291447Z", "id": "CVE-2026-23520", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:58:45.182Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23520", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T19:58:38.291447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:58:41.451Z"}}], "cna": {"title": "Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE", "source": {"advisory": "GHSA-gjqq-6r35-w3r8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getarcaneapp", "product": "arcane", "versions": [{"status": "affected", "version": "< 1.13.0"}]}], "references": [{"url": "https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8", "name": "https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getarcaneapp/arcane/pull/1468", "name": "https://github.com/getarcaneapp/arcane/pull/1468", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4", "name": "https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0", "name": "https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane\u2019s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:20:22.434Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23520", "state": "PUBLISHED", "dateUpdated": "2026-01-15T19:58:45.182Z", "dateReserved": "2026-01-13T18:22:43.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T19:20:22.434Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6334A63-DF55-490B-9840-4805617B2E8D", "versionEndExcluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane\u2019s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0."}], "id": "CVE-2026-23520", "lastModified": "2026-02-05T21:37:01.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-15T20:16:05.467", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/getarcaneapp/arcane/pull/1468"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:00:51.284905+00:00", "value": {"mitigation_remediation": ["Update Arcane to version 1.13.0 or later", "Restrict API project creation to administrators or disable lifecycle labels", "Audit existing deployments for malicious lifecycle labels and remove or neutralize them"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "GetArcaneApp Arcane version 1.12.x and earlier are affected. The issue was resolved in version 1.13.0.", "description_and_impact": "Arcane, a Docker management tool, contains a command injection flaw in its updater service. The vulnerability allows a malicious command to be injected via lifecycle labels that are executed with /bin/sh -c without sanitization. This flaw can lead to execution of arbitrary code inside the container during an update operation.", "risk_and_exploitability": "The CVSS score is 9.1, indicating critical severity. The EPSS score is below 1%, suggesting low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated API user to create a project with the malicious lifecycle label; an administrator then triggers the container update, at which point the injected command executes inside the target container. The attack vector is therefore an authenticated, privileged operation, but the impact is full remote code execution within the container environment."}}}}, "created": "2026-01-16T13:43:09.312237+00:00", "updated": "2026-04-18T06:15:15.859674+00:00", "vendors": ["getarcaneapp", "getarcaneapp$PRODUCT$arcane"]}