Scan free
HIGHCVE-2026-25116CVSS 7.6

CVE-2026-25116: Path Traversal in Runtipi Homeserver

Platform

docker

Component

runtipi

Fixed in

4.5.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-25116 describes a Path Traversal vulnerability discovered in Runtipi, a personal homeserver orchestrator. This vulnerability allows unauthenticated remote users to overwrite the system's critical docker-compose.yml configuration file, potentially leading to full Remote Code Execution (RCE) and compromise of the host filesystem. The vulnerability affects versions 4.5.0 through 4.7.1, and a fix is available in version 4.7.2.

Docker

Detect this CVE in your project

Upload your Dockerfile file and we'll tell you instantly if you're affected.

Upload DockerfileSupported formats: Dockerfile · docker-compose.yml

Impact and Attack Scenarios

The impact of CVE-2026-25116 is significant. Successful exploitation allows an attacker to completely control the Runtipi instance's configuration. By replacing the docker-compose.yml file with a malicious version, an attacker can inject arbitrary commands and services that will be executed upon the next instance restart. This effectively grants the attacker RCE on the underlying host, enabling them to steal sensitive data, install malware, or pivot to other systems within the network. The vulnerability's unauthenticated nature means that no prior authentication is required to exploit it, significantly broadening the attack surface. This resembles the impact of configuration file manipulation vulnerabilities seen in other orchestration platforms.

Exploitation Context

CVE-2026-25116 was publicly disclosed on January 29, 2026. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and the potential for significant impact. Active exploitation campaigns are currently unconfirmed, but the vulnerability's severity and ease of exploitation warrant close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.10% (28% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L7.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentruntipi
Vendorruntipi
Affected rangeFixed in
>= 4.5.0, < 4.7.2 – >= 4.5.0, < 4.7.24.5.1

Weakness Classification (CWE)

CWE-22CWE-306

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-25116 is to immediately upgrade Runtipi to version 4.7.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the vulnerability, restricting access to the /user/config endpoint from untrusted networks can reduce the attack surface. Thoroughly review and audit the docker-compose.yml file for any unexpected modifications. After upgrading, confirm the fix by attempting to access the /user/config endpoint with a crafted path traversal request; the server should reject the request.

How to fix

Actualice runtipi a la versión 4.7.2 o superior. Esta versión corrige la vulnerabilidad de Path Traversal que permite la sobreescritura no autenticada del archivo docker-compose.yml. La actualización previene la ejecución remota de código y el compromiso del sistema de archivos del host.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-25116 — Path Traversal in Runtipi Homeserver?

CVE-2026-25116 is a Path Traversal vulnerability in Runtipi versions 4.5.0 through 4.7.1, allowing attackers to overwrite the docker-compose.yml file and potentially achieve Remote Code Execution.

Am I affected by CVE-2026-25116 in Runtipi Homeserver?

You are affected if you are running Runtipi versions 4.5.0 through 4.7.1. Upgrade to version 4.7.2 to mitigate the vulnerability.

How do I fix CVE-2026-25116 in Runtipi Homeserver?

The recommended fix is to upgrade Runtipi to version 4.7.2. If immediate upgrade is not possible, restrict access to the /user/config endpoint.

Is CVE-2026-25116 being actively exploited?

Active exploitation is currently unconfirmed, but the vulnerability's severity and ease of exploitation warrant close monitoring.

Where can I find the official Runtipi advisory for CVE-2026-25116?

Refer to the official Runtipi project website and security advisories for the latest information and updates regarding CVE-2026-25116.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs