CVE-2026-45626 Overview
CVE-2026-45626 is a command injection vulnerability in Arcane, a web interface for managing Docker containers, images, networks, and volumes. The flaw affects versions 1.18.1 and earlier. The GET /environments/{id}/volumes/{volumeName}/browse endpoint accepts a path query parameter that flows into a shell command executed inside an Arcane helper container. The path sanitiser blocks ../ traversal but fails to strip Bourne-shell metacharacters such as $() and backticks. Any authenticated user with access to a browseable volume can execute arbitrary shell commands inside the helper container, with output reflected in the HTTP 500 error response body.
Critical Impact
Authenticated attackers can execute arbitrary shell commands inside the Arcane helper container and read the command output through reflected error responses.
Affected Products
- Arcane Docker management interface, versions 1.18.1 and earlier
- Deployments exposing the volume browse endpoint to authenticated users
- Helper container runtime used by Arcane to inspect Docker volumes
Discovery Timeline
- 2026-05-29 - CVE-2026-45626 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-45626
Vulnerability Analysis
The vulnerability is classified as OS Command Injection [CWE-78]. Arcane's volume browser handler constructs a shell pipeline of the form sh -c "find … | while …" to enumerate files under a user-supplied path. The application attempts to defend this construction with two controls: a path sanitiser that blocks parent directory traversal sequences, and strconv.Quote to wrap the supplied value. Neither control addresses shell metacharacter interpretation. strconv.Quote escapes Go string literal metacharacters such as quotes and backslashes, but it does not neutralise shell substitution sequences. As a result, $(...) and backtick expressions remain intact when the resulting string is handed to sh -c. Stdout and stderr from the injected command flow back into the HTTP 500 response body, giving the attacker direct read access to command output without needing an out-of-band channel.
Root Cause
The root cause is improper neutralisation of shell metacharacters when building a command string for sh -c. The developer relied on string-quoting semantics intended for Go source code rather than shell-safe argument passing. Constructing the command with exec.Command("find", path, ...) and avoiding sh -c entirely would have eliminated the injection surface.
Attack Vector
The attack vector is network-based and requires an authenticated session with access to at least one browseable Docker volume. An attacker issues a GET request to the volume browse endpoint with a path parameter containing a command substitution payload such as $(id) or backtick-wrapped commands. The Arcane backend interpolates the value into the shell pipeline, executes the substituted command inside the helper container, and returns the resulting output inside the 500 error body. The injected commands run with the privileges of the helper container, which typically mounts the inspected Docker volume.
No verified public proof-of-concept exploit is available. See the GitHub Security Advisory GHSA-9mvm-4gwg-v8mp for additional technical detail.
Detection Methods for CVE-2026-45626
Indicators of Compromise
- HTTP requests to /environments/{id}/volumes/{volumeName}/browse containing $(, backtick characters, or URL-encoded equivalents (%24%28, %60) in the path query parameter.
- HTTP 500 responses from the volume browse endpoint whose body contains output of system commands such as user names, environment variables, or file contents.
- Unexpected child processes spawned by the Arcane helper container, particularly processes other than find, sh, or while loops.
Detection Strategies
- Inspect Arcane application logs and reverse proxy access logs for path query parameters containing shell metacharacters.
- Correlate authenticated user activity with volume browse requests to identify anomalous access patterns from low-privilege accounts.
- Monitor the Arcane helper container for process executions that are not part of the documented volume enumeration workflow.
Monitoring Recommendations
- Enable container runtime auditing to record process creation events inside helper containers.
- Forward Arcane HTTP access logs to a central log platform and alert on 500 responses tied to the volume browse route.
- Track outbound network connections from the helper container, since command injection is often followed by data exfiltration or reverse-shell attempts.
How to Mitigate CVE-2026-45626
Immediate Actions Required
- Upgrade Arcane to a release later than 1.18.1 that addresses the command injection flaw.
- Restrict access to the Arcane UI and API to trusted administrators using network controls and strong authentication.
- Audit existing user accounts and remove access to browseable volumes for users that do not require it.
Patch Information
Refer to the GitHub Security Advisory GHSA-9mvm-4gwg-v8mp for the fixed version and patch details. The advisory is the authoritative source for upgrade guidance from the Arcane maintainers.
Workarounds
- Disable the volume browse feature or block the /environments/{id}/volumes/{volumeName}/browse route at a reverse proxy until the patched version is deployed.
- Restrict the helper container's capabilities and mounted paths to limit the impact of any injected command.
- Place a web application firewall rule in front of Arcane that rejects requests containing $(, backticks, or their URL-encoded forms in the path parameter.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
