Platform
docker
Component
runtipi
Fixed in
4.5.1
CVE-2026-25116 describes a Path Traversal vulnerability discovered in Runtipi, a personal homeserver orchestrator. This vulnerability allows unauthenticated remote users to overwrite the system's critical docker-compose.yml configuration file, potentially leading to full Remote Code Execution (RCE) and compromise of the host filesystem. The vulnerability affects versions 4.5.0 through 4.7.1, and a fix is available in version 4.7.2.
The impact of CVE-2026-25116 is significant. Successful exploitation allows an attacker to completely control the Runtipi instance's configuration. By replacing the docker-compose.yml file with a malicious version, an attacker can inject arbitrary commands and services that will be executed upon the next instance restart. This effectively grants the attacker RCE on the underlying host, enabling them to steal sensitive data, install malware, or pivot to other systems within the network. The vulnerability's unauthenticated nature means that no prior authentication is required to exploit it, significantly broadening the attack surface. This resembles the impact of configuration file manipulation vulnerabilities seen in other orchestration platforms.
CVE-2026-25116 was publicly disclosed on January 29, 2026. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and the potential for significant impact. Active exploitation campaigns are currently unconfirmed, but the vulnerability's severity and ease of exploitation warrant close monitoring.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25116 is to immediately upgrade Runtipi to version 4.7.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the vulnerability, restricting access to the /user/config endpoint from untrusted networks can reduce the attack surface. Thoroughly review and audit the docker-compose.yml file for any unexpected modifications. After upgrading, confirm the fix by attempting to access the /user/config endpoint with a crafted path traversal request; the server should reject the request.
Actualice runtipi a la versión 4.7.2 o superior. Esta versión corrige la vulnerabilidad de Path Traversal que permite la sobreescritura no autenticada del archivo docker-compose.yml. La actualización previene la ejecución remota de código y el compromiso del sistema de archivos del host.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25116 is a Path Traversal vulnerability in Runtipi versions 4.5.0 through 4.7.1, allowing attackers to overwrite the docker-compose.yml file and potentially achieve Remote Code Execution.
You are affected if you are running Runtipi versions 4.5.0 through 4.7.1. Upgrade to version 4.7.2 to mitigate the vulnerability.
The recommended fix is to upgrade Runtipi to version 4.7.2. If immediate upgrade is not possible, restrict access to the /user/config endpoint.
Active exploitation is currently unconfirmed, but the vulnerability's severity and ease of exploitation warrant close monitoring.
Refer to the official Runtipi project website and security advisories for the latest information and updates regarding CVE-2026-25116.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.