x/vulndb: potential Go vuln in github.com/getarcaneapp/arcane/backend: GHSA-gjqq-6r35-w3r8 #4320
Description
Advisory GHSA-gjqq-6r35-w3r8 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/getarcaneapp/arcane/backend |
Description:
Summary
Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation.
Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manual...
References:
- ADVISORY: GHSA-gjqq-6r35-w3r8
- ADVISORY: GHSA-gjqq-6r35-w3r8
- FIX: getarcaneapp/arcane@5a9c2f9
- FIX: fix: remove updater lifecycle hooks getarcaneapp/arcane#1468
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/getarcaneapp/arcane/backend
versions:
- fixed: 0.0.0-20260114065515-5a9c2f92e11f
summary: |-
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables
RCE in github.com/getarcaneapp/arcane/backend
cves:
- CVE-2026-23520
ghsas:
- GHSA-gjqq-6r35-w3r8
references:
- advisory: https://github.com/advisories/GHSA-gjqq-6r35-w3r8
- advisory: https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8
- fix: https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
- fix: https://github.com/getarcaneapp/arcane/pull/1468
notes:
- fix: 'github.com/getarcaneapp/arcane/backend: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-gjqq-6r35-w3r8
created: 2026-01-15T21:01:26.754595612Z
review_status: UNREVIEWED