CVE-2026-47179 Overview
CVE-2026-47179 is a path traversal vulnerability [CWE-22] in Arcane, a web interface for managing Docker containers, images, networks, and volumes. The flaw resides in the ProjectService.GetProjectFileContent method, which returns the contents of any Docker Compose include directive before path-traversal validation executes. Authenticated users can read arbitrary files accessible to the Arcane backend process. Reading /app/data/arcane.db exposes every user's password hash and API key, enabling privilege escalation to administrator. With administrative access to Arcane's Docker control plane, attackers can achieve remote code execution on the host. The vulnerability is fixed in version 1.19.4.
Critical Impact
Authenticated attackers can read arbitrary files including the SQLite database holding password hashes and API keys, escalating to admin and achieving RCE via the Docker control plane.
Affected Products
- Arcane Docker management interface versions prior to 1.19.4
- Deployments exposing the project file API to authenticated users
- Arcane instances with Docker control plane access on the host
Discovery Timeline
- 2026-05-29 - CVE-2026-47179 published to the National Vulnerability Database (NVD)
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-47179
Vulnerability Analysis
The vulnerability stems from improper ordering of validation logic in Arcane's project handling code. ProjectService.CreateProject writes attacker-supplied Docker Compose content to disk without validating include paths. When the project file is later requested, ProjectService.GetProjectFileContent returns the contents referenced by the include directive before any path-traversal checks run.
This flaw allows an authenticated user to declare an include directive pointing outside the project directory. The backend dutifully reads the file and returns its contents through the project file API. The exposure extends to any file readable by the process running the Arcane backend.
The most damaging target is /app/data/arcane.db, the SQLite database storing user password hashes and API keys. Once an attacker extracts admin credentials, Arcane's Docker control plane provides a direct path to executing commands on the host through container creation or volume mounts.
Root Cause
The root cause is a logic error where file content retrieval precedes input validation. The include directive in user-controlled Compose files is dereferenced before sanitization, violating the principle of validating untrusted input before use.
Attack Vector
The attack requires only low-privileged authenticated access. An attacker creates a project with a compose file containing include: ['../../../../etc/passwd'] or a path to /app/data/arcane.db. Requesting the project file content via the API returns the contents of the referenced file. No user interaction is required, and the attack is launched over the network against the Arcane web interface.
The vulnerability manifests through ordering of operations in ProjectService. See the GitHub Security Advisory GHSA-c3px-h233-h6fq and the GitHub Commit Change for technical details.
Detection Methods for CVE-2026-47179
Indicators of Compromise
- Docker Compose project files containing include directives with relative path sequences such as ../ or absolute paths outside the project directory
- API requests to project file endpoints referencing paths like /app/data/arcane.db, /etc/passwd, or other sensitive host files
- Unexpected reads of arcane.db by the Arcane backend process outside normal operation
- Newly created admin users or API keys following suspicious project creation activity
Detection Strategies
- Audit existing Arcane projects for compose files containing include directives with traversal sequences or absolute paths
- Inspect backend logs for GetProjectFileContent calls returning files outside expected project directories
- Correlate project creation events with subsequent file content retrieval requests from the same user session
- Monitor for privilege escalation events such as new admin accounts created shortly after project file API access
Monitoring Recommendations
- Enable verbose access logging on the Arcane API and forward to a centralized log platform for analysis
- Alert on file access patterns that touch the SQLite database path or system files from within the application container
- Track Docker control plane actions originating from accounts that recently used the project file API
How to Mitigate CVE-2026-47179
Immediate Actions Required
- Upgrade all Arcane deployments to version 1.19.4 or later without delay
- Rotate all Arcane user passwords and API keys after upgrading, as prior credentials may have been exposed
- Review project files in existing deployments for malicious include directives and remove them
- Audit Arcane user accounts for unauthorized admin escalations or unfamiliar API keys
Patch Information
The vulnerability is fixed in Arcane version 1.19.4. The patch enforces path-traversal validation on include directives before file content is returned. Review the GitHub Commit Change for implementation details.
Workarounds
- Restrict access to the Arcane interface to trusted administrators only until patching is complete
- Place Arcane behind network-level access controls such as VPN or IP allowlisting to limit authenticated user exposure
- Run the Arcane backend with the least privileges required, reducing the set of files readable by the process
- Disable user self-registration if enabled, preventing untrusted parties from obtaining authenticated access
# Upgrade Arcane container to the patched release
docker pull ghcr.io/getarcaneapp/arcane:1.19.4
docker stop arcane && docker rm arcane
docker run -d --name arcane \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v arcane-data:/app/data \
ghcr.io/getarcaneapp/arcane:1.19.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
