Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-c3px-h233-h6fq | Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives |
Tue, 02 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 29 May 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getarcaneapp
Getarcaneapp arcane |
|
| Vendors & Products |
Getarcaneapp
Getarcaneapp arcane |
Fri, 29 May 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4. | |
| Title | Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-02T15:46:26.827Z
Reserved: 2026-05-18T21:25:34.498Z
Link: CVE-2026-47179
Updated: 2026-06-02T15:44:14.411Z
Status : Deferred
Published: 2026-05-29T18:17:12.500
Modified: 2026-05-29T20:25:00.760
Link: CVE-2026-47179
No data.
OpenCVE Enrichment
Updated: 2026-05-29T18:30:05Z
Github GHSA