CVE-2026-25116

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/runtipi/runtipi/releases/tag/v4.7.2	Product Release Notes
https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-29 22:15

Updated : 2026-02-26 21:36

NVD link : CVE-2026-25116

Mitre link : CVE-2026-25116

CVE.ORG link : CVE-2026-25116

JSON object : View

Products Affected

runtipi

runtipi

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-25116", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-01-29T22:15:56.110", "references": [{"url": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."}, {"lang": "es", "value": "Runtipi es un orquestador personal de servidor dom\u00e9stico. A partir de la versi\u00f3n 4.5.0 y antes de la versi\u00f3n 4.7.2, una vulnerabilidad de salto de ruta no autenticada en el 'UserConfigController' permite a cualquier usuario remoto sobrescribir el archivo de configuraci\u00f3n 'docker-compose.yml' del sistema. Al explotar el an\u00e1lisis URN inseguro, un atacante puede reemplazar la configuraci\u00f3n de pila principal con una maliciosa, lo que resulta en una ejecuci\u00f3n remota de c\u00f3digo (RCE) completa y compromiso del sistema de archivos del host la pr\u00f3xima vez que el operador reinicie la instancia. La versi\u00f3n 4.7.2 corrige la vulnerabilidad."}], "lastModified": "2026-02-26T21:36:19.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DE14B0D-E9DF-4F18-BEC4-6603D6B645A7", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}