Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal

7.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Description

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

Basic Information

ID CVE-2026-25116

Source GitHub_M

Published Jan 29, 2026 at 21:49

Affected Product

Vendor runtipi

Product runtipi

Version >= 4.5.0, < 4.7.2

Affected Versions runtipi runtipi >= 4.5.0, < 4.7.2

CWE Classification

CWE-22 CWE-306

References

{
    "lastseen": "",
    "description": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.",
    "published": "2026-01-29T21:49:49.450Z",
    "modified": "2026-01-29T21:49:49.450Z",
    "type": "cve",
    "title": "Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal",
    "source": "GitHub_M",
    "references": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6\nhttps://github.com/runtipi/runtipi/releases/tag/v4.7.2",
    "id": "CVE-2026-25116",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "runtipi runtipi >= 4.5.0, < 4.7.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "runtipi",
    "version": ">= 4.5.0, < 4.7.2",
    "vendor": "runtipi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal_CVE-2026-25116