CVE-2026-45626
published 2026-05-29CVE-2026-45626: Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse…
PriorityP345medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.3th percentile
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getarcaneapp | arcane | <= 1.18.1 | — |
| github.com | getarcaneapp_arcane_backend | 0 – 1.18.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getarcaneapp arcane up to 1.18.1 Query Parameter browse os command injection (GHSA-9mvm-4gwg-v8mp)
vuldb·2026-05-29·CVSS 6.3
CVE-2026-45626 [MEDIUM] getarcaneapp arcane up to 1.18.1 Query Parameter browse os command injection (GHSA-9mvm-4gwg-v8mp)
A vulnerability was found in getarcaneapp arcane up to 1.18.1 and classified as critical. The impacted element is an unknown function of the file /environments/{id}/volumes/{volumeName}/browse of the component Query Parameter Handler. The manipulation results in os command injection.
This vulnerability was named CVE-2026-45626. The attack may be performed from remote. There is no available exploit.
GHSA
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
ghsa·2026-05-18
CVE-2026-45626 [MEDIUM] CWE-78 Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
## Summary
`GET /environments/{id}/volumes/{volumeName}/browse` accepts a `path` query parameter that is passed to a shell command (`sh -c "find … | while …"`) inside an Arcane helper container. The path sanitiser blocks `../` traversal but does not strip Bourne-shell metacharacters such as `$()` or backticks, and `strconv.Quote` only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
## Details
The execution flow is:
1. `BrowseDirectoryInput.Path` (query: `path`) — `backend/internal/huma/handlers/volumes
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published