CVE Catalog

CVE-2026-47277

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

31th percentile — higher than 31% of all known CVEs

Summary

Runtipi versions 4.9.1 through 4.9.3 allow arbitrary file read through an unauthenticated endpoint, leading to exposure of local files from the Runtipi container. The issue arises from improper path checking for symbolic links in app store repositories.

Risk Assessment

The organization may be exposed to the disclosure of sensitive data such as JWT secrets, service credentials, and local configurations, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade Runtipi to version 4.10.0 to mitigate this vulnerability and conduct a security audit to identify potential threats.

Original NVD description (English source)

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS