Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Description

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.

Basic Information

ID CVE-2026-47277

Source GitHub_M

Published Jun 16, 2026 at 21:43

Affected Product

Vendor runtipi

Product runtipi

Version >= 4.9.1, < 4.10.0

Affected Versions runtipi runtipi >= 4.9.1, < 4.10.0

CWE Classification

CWE-22 CWE-59

References

{
    "lastseen": "",
    "description": "Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.",
    "published": "2026-06-16T21:43:24.779Z",
    "modified": "2026-06-16T21:43:24.779Z",
    "type": "cve",
    "title": "Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks",
    "source": "GitHub_M",
    "references": "https://github.com/runtipi/runtipi/security/advisories/GHSA-qrqj-p7hm-4m66\nhttps://github.com/runtipi/runtipi/releases/tag/v4.10.0",
    "id": "CVE-2026-47277",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "runtipi runtipi >= 4.9.1, < 4.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "runtipi",
    "version": ">= 4.9.1, < 4.10.0",
    "vendor": "runtipi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks_CVE-2026-47277