Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-23520
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-15 Jan, 2026 | 20:16
Updated At-05 Feb, 2026 | 21:37

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CPE Matches
arcane
arcane
>>arcane>>Versions before 1.13.0(exclusive)
cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarysecurity-advisories@github.com
CWE ID: CWE-78
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4security-advisories@github.com
Exploit
https://github.com/getarcaneapp/arcane/pull/1468security-advisories@github.com
Issue Tracking
https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0security-advisories@github.com
Release Notes
https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
Source: security-advisories@github.com
Resource:
Exploit
Hyperlink: https://github.com/getarcaneapp/arcane/pull/1468
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found