Arbitrary File Read Vulnerability in Runtipi Personal Homeserver
CVE-2026-47277

6.5MEDIUM

Key Information:

Vendor: Runtipi
Status: Runtipi
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-47277?

A vulnerability in Runtipi, a personal homeserver orchestrator, enables arbitrary file reads through a publicly accessible endpoint. Versions 4.9.1 through 4.9.3 fail to properly validate symbolic links for app-store logos stored in cloned repositories. This flaw allows attackers to exploit the unauthenticated endpoint, potentially disclosing sensitive local files, including environment configurations and service credentials. The issue has been mitigated in version 4.10.0.

Affected Version(s)

runtipi >= 4.9.1, < 4.10.0

References

https://github.com/runtipi/runtipi/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/runtipi/runtipi/releases/tag/v4.10.0

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47277 Data

JSON