CVE-2026-23520

CRITICAL

Arcane < 1.13.0 - Authenticated OS Command Injection via Lifecycle Label

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-23520. PoCs published by secopssite, Augmaster, 0xzap.

AI-analyzed exploit summary This repository contains a detailed technical writeup for CVE-2026-23520, focusing on a prototype pollution vulnerability in a Node.js application. It includes a step-by-step analysis of the vulnerability, exploitation process, and patching guidance.

Description

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.

Exploits (6)

nomisec WRITEUP 9 stars
by secopssite · poc
https://github.com/secopssite/HTB

This repository contains a detailed technical writeup for CVE-2026-23520, focusing on a prototype pollution vulnerability in a Node.js application. It includes a step-by-step analysis of the vulnerability, exploitation process, and patching guidance.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: AgriWeb (Node.js farming dashboard application)
Auth required
Prerequisites: access to the target application · valid user credentials
devstral-2 · analyzed Apr 13, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Augmaster · poc
https://github.com/Augmaster/POC-CVE-2026-23520

This repository contains a functional exploit for CVE-2026-23520, an OS command injection vulnerability in Arcane Docker Management versions prior to 1.13.0. The exploit leverages unsanitized lifecycle labels to achieve remote code execution when an admin triggers a container update.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Arcane Docker Management < 1.13.0
Auth required
Prerequisites: Authenticated user credentials · Admin-triggered container update
devstral-2 · analyzed Mar 22, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xzap · poc
https://github.com/0xzap/CVE-2026-23520

The repository contains a functional Python exploit for CVE-2026-23520, demonstrating unauthenticated remote command execution in Arcane MCP via the /api/mcp/connect endpoint. The exploit sends a crafted JSON payload to execute a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Arcane MCP
No auth needed
Prerequisites: network access to target · listener setup for reverse shell
devstral-2 · analyzed Mar 22, 2026 Full analysis →
nomisec WORKING POC
by kikechans · poc
https://github.com/kikechans/-Educational-PoC-CVE-2026-23520

This repository contains a functional exploit for CVE-2026-23520, demonstrating a command injection vulnerability in the Model Context Protocol (MCP) connect endpoint. The exploit leverages unsanitized input in the 'command' and 'args' fields to execute a reverse shell, with support for virtual host routing to bypass proxy restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Model Context Protocol (MCP) implementation in Arcane v1.13.0
No auth needed
Prerequisites: Python 3 · requests library · netcat listener · target IP/port · virtual host name
devstral-2 · analyzed May 27, 2026 Full analysis →
github WORKING POC
by kikechans · pythonpoc
https://github.com/kikechans/CVE-2026-23520-Educational

This repository contains a functional exploit for CVE-2026-23520, demonstrating a command injection vulnerability in the Model Context Protocol (MCP) connect endpoint. The exploit leverages unsanitized input in the 'command' and 'args' fields to execute a reverse shell, with support for virtual host routing to bypass proxy restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Model Context Protocol (MCP) implementation in Arcane v1.13.0
No auth needed
Prerequisites: Python 3 · requests library · netcat listener · knowledge of target virtual host
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by cypher-21 · poc
https://github.com/cypher-21/CVE-2026-23520

This repository contains a functional Python-based exploit for CVE-2026-23520, targeting an MCP API endpoint vulnerable to remote command execution (RCE). The exploit sends a crafted JSON payload to execute a reverse shell via the `/api/mcp/connect` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MCP API (specific version not specified)
No auth needed
Prerequisites: Network access to the target's MCP API endpoint · Listener set up for reverse shell
devstral-2 · analyzed Mar 24, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.0
EPSS 0.0002
EPSS Percentile 7.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
arcane/arcane < 1.13.0
getarcaneapp/arcane 0 - 0.0.0-20260114065515-5a9c2f92e11fGo
Published Jan 15, 2026
Tracked Since Feb 18, 2026