EUVD-2026-37508Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AC:H reflects the prerequisite of controlling a configured app-store repository; PR:N applies because the logo endpoint itself requires no authentication once that precondition is met.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.
AnalysisAI
Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticated app-store logo endpoint. An attacker who controls a Git-based app-store repository can embed a symbolic link as a marketplace logo file; because the path guard performs only lexical validation before Node.js reads the file, Runtipi resolves and returns the symlink target, potentially leaking /data/.env, JWT secrets, service credentials, and seed values to any unauthenticated requester. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can place a symbolic link within a Git app-store repository that is subsequently configured as an active app source in the target Runtipi instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) rates this as Medium severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a Git repository structured as a Runtipi app store, placing a file at metadata/logo.jpg that is actually a symbolic link pointing to /data/.env or /data/state/seed inside the Runtipi container. After social-engineering an administrator into configuring this malicious repository as a custom app store, the attacker directly requests the unauthenticated logo endpoint for that app - Runtipi resolves the symlink and returns the .env file contents, exposing JWT signing secrets and service credentials in the HTTP response body. … |
| Remediation | Vendor-released patch: v4.10.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today