CVE-2026-25116 in Runtipi
Summary
by MITRE • 01/30/2026
Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2026-25116 affects Runtipi, a personal homeserver orchestrator designed to manage containerized applications through docker-compose configurations. This critical security flaw exists in versions 4.5.0 through 4.7.1, creating a significant risk for users who rely on this platform for home server orchestration. The vulnerability stems from inadequate input validation within the UserConfigController component, specifically in how the system handles Uniform Resource Names during path resolution operations. The flaw allows any remote attacker to exploit the insecure parsing mechanism and gain unauthorized access to critical system configuration files.
The technical implementation of this vulnerability involves path traversal through malformed URN parsing within the UserConfigController module. When processing user requests, the system fails to properly sanitize or validate file paths, enabling attackers to manipulate the target file location during configuration updates. This insecure direct object reference vulnerability permits an attacker to specify arbitrary file paths, ultimately allowing the replacement of the core docker-compose.yml file that governs the entire system's container orchestration. The vulnerability maps directly to CWE-22 Path Traversal and CWE-23 Relative Path Traversal, both of which are classified under the OWASP Top Ten as critical security risks.
The operational impact of this vulnerability extends far beyond simple file replacement, as it creates a complete compromise of the host system's security posture. When an attacker successfully overwrites the docker-compose.yml file with malicious content, they gain the ability to execute arbitrary code within the host environment during the next system restart cycle. This RCE capability allows attackers to establish persistent access, escalate privileges, and potentially compromise all containers and services managed by the orchestrator. The vulnerability's unauthenticated nature means that no prior credentials or access are required, making it particularly dangerous for home server environments where network exposure is common. This aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter and T1078 for Valid Accounts, as attackers can leverage the compromised system to maintain access and execute malicious commands.
The exploitation chain begins with an attacker sending a crafted request to the vulnerable Runtipi instance, leveraging the insecure URN parsing to target the docker-compose.yml file. Once the malicious configuration is written to disk, the next restart of the Runtipi service triggers the execution of attacker-controlled container definitions, providing complete system compromise. The fix implemented in version 4.7.2 addresses this issue through proper input validation and path sanitization, ensuring that all file operations occur within designated safe directories and that URN parsing follows secure implementation practices. Organizations should immediately update to version 4.7.2 or later to mitigate this vulnerability, while also implementing network segmentation and monitoring for unusual file modification patterns in their home server environments. The vulnerability demonstrates the critical importance of validating all user inputs and implementing proper access controls in orchestrator systems that manage critical infrastructure configurations.