CVE-2026-25116

HighPublic PoC

Published: 29 January 2026

Published

29 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

EPSS Score 0.0011 29.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an…

attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations preventing unauthenticated remote access to the UserConfigController endpoint.

SI-10 Information Input Validation good match

prevent

Validates inputs to mitigate path traversal via insecure URN parsing that enables overwriting the docker-compose.yml file.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users, blocking exploitation by unauthenticated remote attackers.

Security SummaryAI

CVE-2026-25116 is an unauthenticated path traversal vulnerability (CWE-22) in the UserConfigController component of Runtipi, a personal homeserver orchestrator. Affecting versions 4.5.0 through 4.7.1, the flaw stems from insecure URN parsing, enabling remote attackers to overwrite the system's docker-compose.yml configuration file. It also involves CWE-306 (missing authentication for critical function) and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).

Any unauthenticated remote user can exploit the vulnerability by crafting a malicious request to traverse paths and replace the primary stack's docker-compose.yml with a tampered version. Upon the next restart of the Runtipi instance by the operator, the malicious configuration executes, granting full remote code execution (RCE) and host filesystem compromise.

The official Runtipi security advisory (GHSA-mwg8-x997-cqw6) and release notes for version 4.7.2 confirm that upgrading to 4.7.2 or later resolves the vulnerability by addressing the path traversal and URN parsing issues.

Details

CWE(s): CWE-22 CWE-306

Affected Products

runtipi

4.5.0 — 4.7.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated path traversal vulnerability in public-facing UserConfigController enables remote overwriting of critical docker-compose.yml configuration file, leading to RCE upon restart, directly mapping to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/runtipi/runtipi/releases/tag/v4.7.2
Product, Release Notes · security-advisories@github.com
https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6
Exploit, Vendor Advisory · security-advisories@github.com