{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25116", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.539Z", "datePublished": "2026-01-29T21:49:49.450Z", "dateUpdated": "2026-02-02T16:34:53.306Z"}, "containers": {"cna": {"title": "Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6"}, {"name": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2"}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"version": ">= 4.5.0, < 4.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:49:49.450Z"}, "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."}], "source": {"advisory": "GHSA-mwg8-x997-cqw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T14:43:09.118358Z", "id": "CVE-2026-25116", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:34:53.306Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25116", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T14:43:09.118358Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:43:12.702Z"}}], "cna": {"title": "Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal", "source": {"advisory": "GHSA-mwg8-x997-cqw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"status": "affected", "version": ">= 4.5.0, < 4.7.2"}]}], "references": [{"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6", "name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2", "name": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:49:49.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25116", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:34:53.306Z", "dateReserved": "2026-01-29T14:03:42.539Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T21:49:49.450Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DE14B0D-E9DF-4F18-BEC4-6603D6B645A7", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."}], "id": "CVE-2026-25116", "lastModified": "2026-02-26T21:36:19.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-29T22:15:56.110", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:17:34.528103+00:00", "value": {"mitigation_remediation": ["Upgrade Runtipi to version 4.7.2 or newer to remove the vulnerable code.", "Disable or restrict the UserConfigController API so that only authenticated users can access it, or use a firewall to block the endpoint from unauthenticated sources.", "Continuously monitor the docker\u2011compose.yml file and container logs for unauthorized modifications to detect potential exploitation early."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected versions include Runtipi releases from 4.5.0 through 4.7.1. Version 4.7.2 and later contain a fix that removes the vulnerable parsing logic. The product is an open\u2011source personal homeserver orchestrator that runs container stacks for home users.", "description_and_impact": "The UserConfigController in Runtipi is vulnerable to an unauthenticated path traversal exploit that allows an attacker to overwrite the system's docker\u2011compose.yml file. By manipulating URN parsing, the attacker can inject a malicious stack configuration, which will be executed the next time the instance restarts, giving complete control over the host.", "risk_and_exploitability": "The CVSS v3.1 score of 7.6 signals high severity, while an EPSS score of less than 1% indicates a low current exploitation likelihood. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no publicly known exploit yet. However, the path traversal component (CWE\u201122) and lack of authentication (CWE\u2011306) make the attack straightforward from any remote client that can reach the API endpoint."}}}}, "created": "2026-01-30T08:42:42.652897+00:00", "updated": "2026-04-18T01:30:16.031373+00:00", "vendors": ["runtipi", "runtipi$PRODUCT$runtipi"]}