Arcane RCE: When Docker Labels Become Shell Scripts
Jan 16, 2026·6 min read·22 visits
Executive Summary (TL;DR)
Arcane trusted Docker labels to define 'pre-update' and 'post-update' commands. It passed these label values directly to `/bin/sh -c`. An authenticated attacker can create a project with a malicious label, wait for an admin to update the container, and gain Remote Code Execution (RCE) on the management server. The vendor fixed this by deleting the feature entirely.
A critical OS Command Injection vulnerability in the Arcane Docker management platform allows authenticated users to execute arbitrary commands on the backend server. By crafting malicious Docker labels designed for lifecycle hooks, attackers can trick the updater service into passing unsanitized strings directly to a shell interpreter.
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Arcane getarcaneapp | < 1.13.0 | 1.13.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 (OS Command Injection) |
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network |
| Privileges Required | Low (Authenticated) |
| User Interaction | Required (Admin triggers update) |
| Sink | /bin/sh -c |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command.