{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23520","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-01-13T18:22:43.980Z","datePublished":"2026-01-15T19:20:22.434Z","dateUpdated":"2026-01-15T19:58:45.182Z"},"containers":{"cna":{"title":"Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE","problemTypes":[{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8","tags":["x_refsource_CONFIRM"],"url":"https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8"},{"name":"https://github.com/getarcaneapp/arcane/pull/1468","tags":["x_refsource_MISC"],"url":"https://github.com/getarcaneapp/arcane/pull/1468"},{"name":"https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4","tags":["x_refsource_MISC"],"url":"https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4"},{"name":"https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0","tags":["x_refsource_MISC"],"url":"https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0"}],"affected":[{"vendor":"getarcaneapp","product":"arcane","versions":[{"version":"< 1.13.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-01-15T19:20:22.434Z"},"descriptions":[{"lang":"en","value":"Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0."}],"source":{"advisory":"GHSA-gjqq-6r35-w3r8","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-15T19:58:38.291447Z","id":"CVE-2026-23520","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-15T19:58:45.182Z"}}]}}