CVE-2026-23520

Arcane · Docker Management

Arcane Docker management software prior to 1.13.0 contains a command injection vulnerability in the updater service, allowing authenticated users to execute arbitrary shell commands.

Executive summary

An authenticated command injection vulnerability in Arcane prior to 1.13.0 allows malicious users to execute arbitrary commands during the container update process.

Vulnerability

The updater service improperly validates lifecycle labels (com.getarcaneapp.arcane.lifecycle.pre-update and post-update), which are passed directly to /bin/sh. An authenticated user can create a project with a malicious label, which is then executed with higher privileges when an administrator triggers an update.

Business impact

The CVSS score of 9.0 highlights the severe risk of privilege escalation and remote code execution. Successful exploitation allows an attacker to break out of the container context or influence the host environment, potentially leading to full system compromise.

Remediation

Immediate Action: Upgrade Arcane to version 1.13.0 or later immediately to resolve the command injection flaw.

Proactive Monitoring: Audit existing project configurations for unauthorized lifecycle labels and review logs for unexpected shell process spawning.

Compensating Controls: Implement strict Role-Based Access Control (RBAC) to limit which users can create projects and restrict API access to trusted segments.

Exploitation status

Public Exploit Available: None

Analyst recommendation

The ability for a standard user to trigger arbitrary command execution makes this a high-priority update. Administrators must ensure all instances of Arcane are updated to 1.13.0 to eliminate the injection vector and secure the administrative update process.