CVE-2026-47179 affects Arcane, a Docker container management interface, prior to version 1.19.4. The vulnerability allows authenticated users to exploit path traversal in Docker Compose include directives through ProjectService.GetProjectFileContent, which returns file contents before validation runs. Attackers can create malicious compose files with include paths like '../../../../etc/passwd' to read arbitrary files accessible to the Arcane backend process. This includes the SQLite database containing password hashes and API keys, enabling privilege escalation to admin and potential remote code execution on the host system through Arcane's Docker control plane. The issue is fixed in version 1.19.4.