SCA: security update for github.com/getarcaneapp/arcane/backend (GHSA-c3px-h233-h6fq)

high Tenable Self-Hosted Container Security Plugin ID 442448

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4,
ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared
in a project's compose file before any path-traversal validation runs. Because
ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include
paths, an authenticated user can create a project whose compose file declares include:
['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read
of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database
containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker
control plane, RCE on the host. This vulnerability is fixed in 1.19.4. (CVE-2026-47179)

Solution

Update the github.com/getarcaneapp/arcane/backend library and its related packages to version 1.19.4 or later.

See Also

https://github.com/advisories/GHSA-c3px-h233-h6fq

Plugin Details

Severity: High

ID: 442448

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/29/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.27

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-47179

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/28/2026

Vulnerability Publication Date: 5/28/2026

Reference Information

CVE: CVE-2026-47179

cwe: CWE-22