CVE-2026-25116
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
3Tags
Description
Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.
Analysis
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Runtipi versions 4.5.0-4.7.1 and isolate them from untrusted networks if possible; implement WAF rules to block requests to the vulnerable UserConfigController endpoint. Within 7 days: Upgrade to Runtipi version 4.7.2 or later if available, or disable the UserConfigController feature entirely. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today