CVE-2026-24129 Overview
CVE-2026-24129 is a command injection vulnerability affecting Runtipi, a Docker-based personal homeserver orchestrator designed to manage multiple services on a single server. Versions 3.7.0 and above are vulnerable to arbitrary system command execution on the host server by authenticated users who inject shell metacharacters into backup filenames. The BackupManager component fails to properly sanitize filenames of uploaded backups, allowing attackers to stage malicious files that execute arbitrary commands during the restore process.
Critical Impact
Authenticated attackers can achieve remote code execution on the host system by exploiting unsanitized backup filenames, potentially leading to complete server compromise.
Affected Products
- Runtipi versions 3.7.0 through 4.6.x
- Runtipi homeserver orchestrator with backup/restore functionality
- Docker-based Runtipi deployments with authenticated user access
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-24129 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-24129
Vulnerability Analysis
This vulnerability stems from insufficient input validation in the backup file upload and restore functionality within Runtipi's BackupManager component. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the HTTP request without any sanitization. This design flaw allows an attacker to craft a backup filename containing shell metacharacters such as $(id).tar.gz or similar command substitution patterns.
When an authenticated user uploads a maliciously named backup file, the filename is stored at a predictable path on the filesystem. The critical exploitation occurs during the restore process, where the unsanitized filename is passed to shell commands without proper escaping. This allows the embedded shell metacharacters to be interpreted and executed by the system shell, resulting in arbitrary command execution with the privileges of the Runtipi process.
The attack requires authenticated access to the Runtipi interface, but the changed scope indicated in the vulnerability assessment means successful exploitation can impact resources beyond the vulnerable component itself, potentially affecting other services and containers managed by Runtipi on the host system.
Root Cause
The root cause is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) vulnerability. The BackupManager module directly uses user-supplied filenames in system operations without implementing input sanitization. The originalname from uploaded files is trusted implicitly and passed through to filesystem operations and shell commands during the backup restore workflow.
Attack Vector
The attack is network-accessible and requires high privileges (authenticated user access) but no user interaction. An attacker with valid credentials can:
- Craft a backup file with shell metacharacters in the filename (e.g., $(whoami).tar.gz or `id`.tar.gz)
- Upload the malicious backup through the Runtipi web interface
- The file is stored on the host filesystem at a predictable location with the unsanitized name
- Trigger the restore functionality for the uploaded backup
- Shell metacharacters in the filename are executed during restore operations
// Security patch - sanitize backup filenames before manipulation
// Source: https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
// packages/backend/src/common/helpers/exec-helpers.ts
-import { exec } from 'node:child_process';
+import { exec, spawn } from 'node:child_process';
+import type { SpawnOptionsWithoutStdio } from 'node:child_process';
import { promisify } from 'node:util';
type ExecAsyncParams = [command: string];
The patch introduces safer process spawning mechanisms alongside the existing exec function.
// Filename sanitization function added
// Source: https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
// packages/backend/src/common/helpers/file-helpers.ts
};
export const notEmpty = <TValue>(value: TValue | null | undefined): value is TValue => value !== null && value !== undefined;
+
+export const sanitizeFilename = (filename: string) => filename.replace(/[^a-zA-Z0-9._:-]/g, '');
The fix implements a sanitizeFilename function that strips all characters except alphanumeric characters, periods, underscores, colons, and hyphens, effectively neutralizing shell metacharacters.
Detection Methods for CVE-2026-24129
Indicators of Compromise
- Backup files with unusual characters in filenames including $(), backticks, semicolons, or pipe characters
- Unexpected system commands in process listings or logs correlating with backup restore operations
- Anomalous files in Runtipi backup directories with shell metacharacter patterns in names
- Unusual network connections or processes spawned by the Runtipi service
Detection Strategies
- Monitor backup upload endpoints for filenames containing shell metacharacters such as $, `, ;, |, &, or newlines
- Implement file integrity monitoring on Runtipi backup directories to detect suspicious file creation
- Review Runtipi service logs for restore operations with unusual filenames or error patterns indicating command injection attempts
- Deploy web application firewall rules to detect and block requests with shell metacharacters in file upload parameters
Monitoring Recommendations
- Enable verbose logging for all backup and restore operations within Runtipi
- Configure alerts for any shell command errors during restore processes that may indicate exploitation attempts
- Monitor system process creation for unexpected child processes spawned by the Runtipi backend
- Implement audit logging for all authenticated actions in the Runtipi administration interface
How to Mitigate CVE-2026-24129
Immediate Actions Required
- Upgrade Runtipi to version 4.7.0 or later which contains the security fix
- Audit existing backup files in the backup directory for any filenames containing shell metacharacters
- Review access logs for suspicious backup upload or restore activity
- Restrict Runtipi administrative access to trusted users only until patching is complete
Patch Information
The vulnerability has been fixed in Runtipi version 4.7.0. The patch implements filename sanitization through a new sanitizeFilename function that removes all potentially dangerous characters before processing backup files. The fix is available through the GitHub release v4.7.0 and detailed in the GitHub Security Advisory GHSA-vrgf-rcj5-6gv9. The specific commit c3aa948885554a370d374692158a3bfe1cfdc85a contains the security fix.
Workarounds
- Implement a web application firewall or reverse proxy rule to reject file uploads containing shell metacharacters in filenames
- Temporarily disable the backup/restore functionality if not critical to operations until patching is complete
- Restrict network access to the Runtipi management interface to trusted IP addresses only
- Consider running Runtipi in a more isolated environment with reduced host system privileges
# Configuration example - Restrict Runtipi access via reverse proxy (nginx example)
# Block backup uploads with dangerous characters in filename
location /api/backup {
# Only allow alphanumeric, dots, underscores, and hyphens in uploaded filenames
if ($request_body ~* "filename.*[\$\`\;\|\&\(\)\{\}\[\]\<\>]") {
return 403;
}
proxy_pass http://runtipi-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
