CVE-2026-24129
Published: 22 January 2026
Summary
CVE-2026-24129 is a high-severity OS Command Injection (CWE-78) vulnerability in Runtipi Runtipi. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-uploaded backup filenames to block shell metacharacters, preventing OS command injection during the restore process.
Enforces restrictions on filename inputs such as allowed characters, length, and format to prohibit shell metacharacters from being persisted to the host filesystem.
Mandates timely identification, reporting, and remediation of flaws like the unsanitized filename handling, ensuring patching to version 4.7.0 or equivalent fixes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unsanitized backup filenames directly enables Unix shell command execution (T1059.004) during restore; scope change from app to host execution with high impact also maps to exploitation for privilege escalation (T1068).
NVD Description
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The…
more
BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.
Deeper analysisAI
CVE-2026-24129 is an OS command injection vulnerability (CWE-78) in Runtipi, a Docker-based personal homeserver orchestrator that facilitates running multiple services on a single server. It affects versions 3.7.0 and above, stemming from the BackupManager's failure to sanitize filenames of uploaded backups. The system persists these user-uploaded files directly to the host filesystem using the raw originalname from the request, enabling injection of shell metacharacters into filenames.
An authenticated user with sufficient privileges can exploit this by uploading a backup file with a malicious filename containing shell metacharacters, such as $(id).tar.gz, to a predictable path on the host filesystem. During the subsequent restore process, the system references this file and executes the embedded command, achieving arbitrary system command execution on the host server. The CVSS v3.1 base score is 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting network accessibility, high privileges required, changed scope, and high impacts on confidentiality, integrity, and availability.
The vulnerability has been fixed in Runtipi version 4.7.0. Mitigation details are available in the GitHub security advisory at https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9, the release notes at https://github.com/runtipi/runtipi/releases/tag/v4.7.0, and the fixing commit at https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a.
Details
- CWE(s)