top of page
perceptive_background_267k.jpg

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle l…

Published:

14 January 2026 at 23:00:00

Alert date:

15 January 2026 at 22:02:37

Source:

nvd.nist.gov

Click to open the original link from this advisory

Cloud & Virtualization, Web Technologies

CVE-2026-23520 affects Arcane docker management platform prior to version 1.13.0. The vulnerability allows command injection through the updater service via lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update. Label values are passed directly to /bin/sh -c without sanitization or validation. Any authenticated user can create projects with malicious lifecycle labels through the API. When administrators trigger container updates, the malicious commands are executed inside containers. The vulnerability is fixed in version 1.13.0.

Technical details

Mitigation steps:

Affected products:

Arcane Docker Management

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-23520
https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
https://github.com/getarcaneapp/arcane/pull/1468
https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0
https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page