CVE-2026-45626

MEDIUM 6.3

Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter

CVSS Score

6.3

EPSS Score

0.1%

EPSS Percentile

28th

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.

CWE	CWE-78
Vendor	getarcaneapp
Product	arcane
Published	May 29, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for getarcaneapp arcane

Be the first to know when new medium vulnerabilities affecting getarcaneapp arcane are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

getarcaneapp / arcane

<= 1.18.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/getarcaneapp/arcane/security/advisories/GHSA-9mvm-4gwg-v8mp