Command Injection Vulnerability in Arcane Docker Management Tool
CVE-2026-23520

9.1CRITICAL

Key Information:

Vendor

Getarcaneapp

Status
Arcane
Vendor
CVE Published:
15 January 2026

What is CVE-2026-23520?

The Arcane Docker Management Tool contains a command injection vulnerability in its updater service prior to version 1.13.0. This flaw arises from the mismanaged handling of lifecycle labels, specifically 'com.getarcaneapp.arcane.lifecycle.pre-update' and 'com.getarcaneapp.arcane.lifecycle.post-update', where user-defined values are executed as shell commands without prior sanitization. Authenticated users can exploit this vulnerability by creating projects that specify malicious commands within these labels. When an administrator performs a container update, the malicious command gets executed in the container's context, thereby compromising the security of the application.

Affected Version(s)

arcane < 1.13.0

References

https://github.com/getarcaneapp/arcane/security/advisorie...
x_refsource_CONFIRM
https://github.com/getarcaneapp/arcane/pull/1468
x_refsource_MISC
https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.