HIGH 7.7

CVE-2026-47179: Arcane Path-Traversal in Docker Compose Include Directives

Arcane, a container management interface for Docker, has a path-traversal vulnerability that allows authenticated users to read arbitrary files from the server. An attacker can craft a malicious Docker Compose configuration file with include directives pointing to sensitive system files—such as /etc/passwd or Arcane's own database—and then retrieve the contents through the project file API. Since Arcane stores password hashes and API keys in its SQLite database, successful exploitation can lead to account takeover and remote code execution on the host system. The issue affects all versions prior to 1.19.4.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47179 stems from improper input validation in Arcane's ProjectService class. The vulnerability has two contributing factors: (1) ProjectService.CreateProject accepts and writes attacker-supplied Docker Compose content to disk without sanitizing include directive paths, and (2) ProjectService.GetProjectFileContent processes include directives before path-traversal validation occurs. This ordering flaw means an authenticated user can include a malicious include directive (e.g., include: ['../../../../etc/passwd']) in their project's compose file, which is persisted to disk and later resolved by the API endpoint without proper canonicalization or boundary checks. The attacker then retrieves file contents through the same API endpoint. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), scored CVSS 3.1 at 7.7 (HIGH severity).

Business impact

Organizations using Arcane face significant risk of credential compromise and lateral movement. An attacker with valid Arcane credentials—or an insider—can extract the entire user database containing password hashes and API keys, effectively compromising every Arcane user account. Escalation to administrative access then enables full control over Docker infrastructure managed through Arcane, potentially leading to workload exfiltration, data destruction, or deployment of malicious containers across the environment. In multi-tenant or shared-infrastructure scenarios, this represents a blast radius extending to all hosted services.

Affected systems

Arcane versions prior to 1.19.4 are affected. The vulnerability requires authentication to exploit, so only instances with user accounts or API key access are at active risk. Verify your installed version against the vendor advisory to confirm whether you are running a vulnerable release.

Exploitability

Exploitation requires valid authentication credentials to the Arcane instance. An attacker cannot exploit this vulnerability remotely without first obtaining legitimate user access. However, the attack is trivial once authenticated: it requires only crafting a compose file with a path-traversal include directive and using standard Arcane APIs to create a project and retrieve file contents. No special tooling, race conditions, or user interaction is required. The severity is further elevated because Arcane's database—containing credentials for the entire user base—is readable by the backend process, making it a high-value target.

Remediation

Upgrade Arcane to version 1.19.4 or later immediately. The patch implements proper validation of include directive paths before processing, ensuring that includes cannot traverse outside their intended project directory. Organizations should treat this as a priority remediation given the direct path to credential compromise and infrastructure control. After patching, review access logs and audit trails to detect whether this vulnerability was exploited in your environment.

Patch guidance

Consult the official Arcane release notes and security advisories for version 1.19.4 to confirm patch applicability and any prerequisite configuration changes. Test the upgrade in a non-production environment first, as container management tools often require careful orchestration during updates. Verify that compose file validation is functioning correctly post-patch by confirming that include directives are now restricted to safe paths. If you are currently on a version between the initial release and 1.19.4, plan your upgrade path accordingly and prioritize rapid deployment.

Detection guidance

Monitor Arcane audit logs for suspicious project creation events, particularly those involving compose files with include directives pointing to system directories (e.g., ../, etc/, app/). Search for API calls to GetProjectFileContent that occur shortly after project creation with non-standard file paths. Review recently created projects and their compose file contents for path-traversal patterns. Check Arcane database access logs and file-system activity logs for reads of /app/data/arcane.db or similar sensitive files. Correlation of these indicators may reveal past exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention because: (1) it enables unauthenticated attackers to assume any user identity via credential theft, (2) it provides direct access to the Arcane database containing all user secrets, (3) it leads to complete compromise of Docker infrastructure, and (4) a patch is available and should be deployed without delay. The attack is simple, the impact is severe, and the remediation is straightforward.

Risk score, explained

The CVSS 3.1 score of 7.7 (HIGH) reflects a network-accessible vulnerability requiring low privileges (authentication) with low attack complexity. The attack vector is network-based, no user interaction is needed, and the scope changes because compromise of Arcane enables control over the entire Docker environment. Confidentiality impact is high due to unrestricted file read access; integrity and availability impacts are not directly rated by CVSS but are substantial given the ability to escalate to admin and execute code on the host.

Frequently asked questions

Does this vulnerability require me to be an admin to exploit it?

No. Any authenticated user—even one with minimal permissions—can create a project with a malicious compose file and retrieve arbitrary files readable by the Arcane backend process. However, you must have valid credentials (username/password or API key) to access Arcane at all.

Can an attacker use this to compromise my Docker host?

Yes, indirectly. By extracting the Arcane database and obtaining admin credentials, an attacker gains full API access to Arcane and can then leverage Arcane's Docker control plane to deploy containers, modify deployments, or execute arbitrary commands on the host.

What files should I be most concerned about?

The /app/data/arcane.db SQLite database is the most critical target, as it contains every Arcane user's password hash and API key. Attackers will also target /etc/passwd for local account enumeration and sensitive configuration files. Any file readable by the Arcane process is at risk.

Is there a workaround if I cannot patch immediately?

Limit network access to Arcane to trusted internal networks only, restrict API token issuance to essential service accounts, and implement strict firewall rules. These measures reduce the attack surface but do not eliminate the vulnerability. Patching remains the only reliable fix and should be scheduled urgently.

This analysis is provided for informational purposes and reflects information available as of the publication date. It does not constitute professional security advice or a substitute for vendor security advisories. Organizations should verify patch availability and applicability in their specific deployment environment by consulting official Arcane documentation and security bulletins. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability details and recommends independent verification of all technical claims against authoritative sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).