Plattform
docker
Komponente
runtipi
Behoben in
4.5.1
CVE-2026-25116 describes a Path Traversal vulnerability discovered in Runtipi, a personal homeserver orchestrator. This vulnerability allows unauthenticated remote users to overwrite the system's critical docker-compose.yml configuration file, potentially leading to full Remote Code Execution (RCE) and compromise of the host filesystem. The vulnerability affects versions 4.5.0 through 4.7.1, and a fix is available in version 4.7.2.
The impact of CVE-2026-25116 is severe. Successful exploitation allows an attacker to completely control the Runtipi instance's configuration. By replacing the docker-compose.yml file with a malicious version, an attacker can dictate which containers are launched, what services are exposed, and ultimately, what code is executed on the host system. This can lead to data exfiltration, persistent backdoor access, and complete compromise of the underlying infrastructure. The ability to overwrite the core configuration without authentication significantly lowers the barrier to entry for attackers, making this a high-priority vulnerability to address. The potential for RCE is particularly concerning, as it allows attackers to execute arbitrary commands with the privileges of the Runtipi process, potentially escalating privileges and gaining further control over the system.
CVE-2026-25116 was publicly disclosed on January 29, 2026. The vulnerability's ease of exploitation, combined with the potential for RCE, suggests a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (PoC) code has been released as of the disclosure date, but the vulnerability's straightforward nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Users running Runtipi in exposed environments, particularly those with limited network segmentation, are at the highest risk. Shared hosting environments where multiple users share the same Runtipi instance are also particularly vulnerable, as an attacker could potentially compromise the entire host.
• docker: Inspect running containers for unexpected processes or configurations.
docker ps --format '{{.Names}} {{.Image}}' | grep -i 'malicious'
docker inspect <container_name> | grep -i 'docker-compose.yml'• linux / server: Monitor system logs for unusual activity related to the Runtipi process.
journalctl -u runtipi -f | grep -i 'error'• generic web: Monitor access logs for requests targeting /user/config with suspicious path traversal patterns (e.g., ../).
• generic web: Check response headers for unexpected content or redirection.
disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25116 is to immediately upgrade Runtipi to version 4.7.2 or later. This version includes a fix that prevents the insecure URN parsing that enables the Path Traversal vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the vulnerability, carefully scrutinizing any external configuration files loaded by Runtipi could provide a limited layer of defense. Regularly review the docker-compose.yml file for any unexpected changes. After upgrading, confirm the fix by attempting a path traversal attack against the UserConfigController endpoint and verifying that the system rejects the attempt.
Actualice runtipi a la versión 4.7.2 o superior. Esta versión corrige la vulnerabilidad de Path Traversal que permite la sobreescritura no autenticada del archivo docker-compose.yml. La actualización previene la ejecución remota de código y el compromiso del sistema de archivos del host.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25116 is a Path Traversal vulnerability in Runtipi versions 4.5.0 through 4.7.1, allowing attackers to overwrite the docker-compose.yml file and potentially achieve Remote Code Execution.
You are affected if you are running Runtipi versions 4.5.0 through 4.7.1. Upgrade to version 4.7.2 to mitigate the vulnerability.
The recommended fix is to upgrade Runtipi to version 4.7.2. If immediate upgrade is not possible, restrict access to the /user/config endpoint.
Active exploitation is currently unconfirmed, but the vulnerability's severity and ease of exploitation warrant close monitoring.
Refer to the official Runtipi project website and security advisories for the latest information and updates regarding CVE-2026-25116.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Dockerfile-Datei hoch und wir sagen dir sofort, ob du betroffen bist.