CVE-2026-25116

HighPublic PoC

Published: 29 January 2026

Published

29 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

EPSS Score 0.0011 29.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25116 is a high-severity Path Traversal (CWE-22) vulnerability in Runtipi Runtipi. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations preventing unauthenticated remote access to the UserConfigController endpoint.

SI-10 Information Input Validation good match

prevent

Validates inputs to mitigate path traversal via insecure URN parsing that enables overwriting the docker-compose.yml file.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users, blocking exploitation by unauthenticated remote attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated path traversal vulnerability in public-facing UserConfigController enables remote overwriting of critical docker-compose.yml configuration file, leading to RCE upon restart, directly mapping to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an…

attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

Deeper analysisAI

CVE-2026-25116 is an unauthenticated path traversal vulnerability (CWE-22) in the UserConfigController component of Runtipi, a personal homeserver orchestrator. Affecting versions 4.5.0 through 4.7.1, the flaw stems from insecure URN parsing, enabling remote attackers to overwrite the system's docker-compose.yml configuration file. It also involves CWE-306 (missing authentication for critical function) and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).

Any unauthenticated remote user can exploit the vulnerability by crafting a malicious request to traverse paths and replace the primary stack's docker-compose.yml with a tampered version. Upon the next restart of the Runtipi instance by the operator, the malicious configuration executes, granting full remote code execution (RCE) and host filesystem compromise.

The official Runtipi security advisory (GHSA-mwg8-x997-cqw6) and release notes for version 4.7.2 confirm that upgrading to 4.7.2 or later resolves the vulnerability by addressing the path traversal and URN parsing issues.