CVE-2026-47179: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getarcaneapp arcane
CVE-2026-47179 is a path traversal vulnerability in the Arcane application prior to version 1. 19. 4. It allows an authenticated user to read arbitrary files on the backend server by exploiting improper validation of Docker Compose include directives. This can lead to disclosure of sensitive files such as the Arcane SQLite database containing password hashes and API keys, enabling privilege escalation and potential remote code execution via Docker control. The vulnerability has a high severity score of 7. 7 and is fixed in version 1. 19. 4.
AI Analysis
Technical Summary
Arcane versions before 1.19.4 contain a path traversal vulnerability (CWE-22) in ProjectService.GetProjectFileContent and ProjectService.CreateProject. The service returns contents of Docker Compose include directives before validating paths, allowing an authenticated user to specify include paths like '../../../../etc/passwd'. This results in arbitrary file reads of any file accessible by the Arcane backend process, including sensitive files such as /app/data/arcane.db, which stores password hashes and API keys. Exploiting this can escalate privileges to admin and enable remote code execution on the host through Arcane's Docker control plane. The vulnerability is fixed in version 1.19.4.
Potential Impact
An authenticated attacker can read arbitrary files on the backend server, including sensitive credential storage, leading to privilege escalation to administrative access. This escalated access can then be leveraged to execute arbitrary code on the host system via Docker control, posing a significant risk to confidentiality and system integrity. The CVSS score of 7.7 reflects high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
This vulnerability is fixed in Arcane version 1.19.4. Users should upgrade to version 1.19.4 or later to remediate this issue. No vendor advisory is provided to indicate alternative mitigations or temporary fixes. Until upgraded, restrict authenticated user permissions to minimize risk.
CVE-2026-47179: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getarcaneapp arcane
Description
CVE-2026-47179 is a path traversal vulnerability in the Arcane application prior to version 1. 19. 4. It allows an authenticated user to read arbitrary files on the backend server by exploiting improper validation of Docker Compose include directives. This can lead to disclosure of sensitive files such as the Arcane SQLite database containing password hashes and API keys, enabling privilege escalation and potential remote code execution via Docker control. The vulnerability has a high severity score of 7. 7 and is fixed in version 1. 19. 4.
CVSS v3.1
Score 7.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Arcane versions before 1.19.4 contain a path traversal vulnerability (CWE-22) in ProjectService.GetProjectFileContent and ProjectService.CreateProject. The service returns contents of Docker Compose include directives before validating paths, allowing an authenticated user to specify include paths like '../../../../etc/passwd'. This results in arbitrary file reads of any file accessible by the Arcane backend process, including sensitive files such as /app/data/arcane.db, which stores password hashes and API keys. Exploiting this can escalate privileges to admin and enable remote code execution on the host through Arcane's Docker control plane. The vulnerability is fixed in version 1.19.4.
Potential Impact
An authenticated attacker can read arbitrary files on the backend server, including sensitive credential storage, leading to privilege escalation to administrative access. This escalated access can then be leveraged to execute arbitrary code on the host system via Docker control, posing a significant risk to confidentiality and system integrity. The CVSS score of 7.7 reflects high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
This vulnerability is fixed in Arcane version 1.19.4. Users should upgrade to version 1.19.4 or later to remediate this issue. No vendor advisory is provided to indicate alternative mitigations or temporary fixes. Until upgraded, restrict authenticated user permissions to minimize risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T21:25:34.498Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19cdf6e29bf47b50fb479f
Added to database: 5/29/2026, 5:33:42 PM
Last enriched: 5/29/2026, 5:48:57 PM
Last updated: 5/29/2026, 6:33:52 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.