CVE-2026-23520
Arcane · Docker Management
Arcane Docker management software prior to 1.13.0 contains a command injection vulnerability in the updater service, allowing authenticated users to execute arbitrary shell commands.
Executive summary
An authenticated command injection vulnerability in Arcane prior to 1.13.0 allows malicious users to execute arbitrary commands during the container update process.
Vulnerability
The updater service improperly validates lifecycle labels (com.getarcaneapp.arcane.lifecycle.pre-update and post-update), which are passed directly to /bin/sh. An authenticated user can create a project with a malicious label, which is then executed with higher privileges when an administrator triggers an update.
Business impact
The CVSS score of 9.0 highlights the severe risk of privilege escalation and remote code execution. Successful exploitation allows an attacker to break out of the container context or influence the host environment, potentially leading to full system compromise.
Remediation
Immediate Action: Upgrade Arcane to version 1.13.0 or later immediately to resolve the command injection flaw.
Proactive Monitoring: Audit existing project configurations for unauthorized lifecycle labels and review logs for unexpected shell process spawning.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) to limit which users can create projects and restrict API access to trusted segments.
Exploitation status
Public Exploit Available: None
Analyst recommendation
The ability for a standard user to trigger arbitrary command execution makes this a high-priority update. Administrators must ensure all instances of Arcane are updated to 1.13.0 to eliminate the injection vector and secure the administrative update process.