CVE-2026-25116

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/runtipi/runtipi/releases/tag/v4.7.2	Product Release Notes
https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*

History

26 Feb 2026, 21:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:runtipi:runtipi::::::::
First Time		Runtipi Runtipi runtipi
References	~~() https://github.com/runtipi/runtipi/releases/tag/v4.7.2 -~~	() https://github.com/runtipi/runtipi/releases/tag/v4.7.2 - Product, Release Notes
References	~~() https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 -~~	() https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 - Exploit, Vendor Advisory

29 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-29 22:15

Updated : 2026-02-26 21:36

NVD link : CVE-2026-25116

Mitre link : CVE-2026-25116

CVE.ORG link : CVE-2026-25116

JSON object : View

Products Affected

runtipi

runtipi

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-25116", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-01-29T22:15:56.110", "references": [{"url": "https://github.com/runtipi/runtipi/releases/tag/v4.7.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability."}], "lastModified": "2026-02-26T21:36:19.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DE14B0D-E9DF-4F18-BEC4-6603D6B645A7", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}