Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle l…

CVE-2026-23520 affects Arcane docker management platform prior to version 1.13.0. The vulnerability allows command injection through the updater service via lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update. Label values are passed directly to /bin/sh -c without sanitization or validation. Any authenticated user can create projects with malicious lifecycle labels through the API. When administrators trigger container updates, the malicious commands are executed inside containers. The vulnerability is fixed in version 1.13.0.