CVE-2026-47277

MEDIUM

Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks

Title source: cna

Description

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/runtipi/runtipi/security/advisories/GHSA-qrqj-p7hm-4m66

X_Refsource_Misc x_refsource_misc

https://github.com/runtipi/runtipi/releases/tag/v4.10.0

Scores

CVSS v3 6.5

EPSS 0.0040

EPSS Percentile 31.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-59

Status published

Products (1)

runtipi/runtipi >= 4.9.1, < 4.10.0

Published Jun 17, 2026

Tracked Since Jun 17, 2026