CVE-2026-24129
📋 TL;DR
CVE-2026-24129 is a command injection vulnerability in Runtipi that allows authenticated users to execute arbitrary system commands on the host server. Attackers can inject shell metacharacters into backup filenames during upload, which are then executed during the restore process. This affects all Runtipi installations running versions 3.7.0 through 4.6.x.
💻 Affected Systems
- Runtipi
📦 What is this software?
Runtipi by Runtipi
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the host server with root-level access, allowing attackers to install malware, exfiltrate data, pivot to other systems, or destroy the server.
Likely Case
Authenticated attackers gain shell access to the host server, potentially compromising all Docker containers and services managed by Runtipi.
If Mitigated
With proper network segmentation and least privilege, impact could be limited to the Runtipi application server only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in the backup filename handling during upload and restore operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.0
Vendor Advisory: https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
Restart Required: Yes
Instructions:
1. Backup your Runtipi configuration and data. 2. Update to version 4.7.0 using the Runtipi update mechanism or Docker commands. 3. Restart all Runtipi services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Backup Upload Feature
linuxTemporarily disable the backup upload functionality in Runtipi to prevent exploitation.
Modify Runtipi configuration to disable backup uploads or restrict access to backup management interface
Implement WAF Rules
allAdd web application firewall rules to block requests containing shell metacharacters in filenames.
Add WAF rule: deny requests with filename parameters containing $(, `, ;, |, &, >, <
🧯 If You Can't Patch
- Restrict access to Runtipi web interface to trusted users only using network ACLs
- Implement strict input validation at the reverse proxy/load balancer level to reject filenames with shell metacharacters
🔍 How to Verify
Check if Vulnerable:
Check Runtipi version: if between 3.7.0 and 4.6.x, you are vulnerable. Review backup filenames for shell metacharacters.Check Version:
docker exec runtipi-app cat /app/package.json | grep versionVerify Fix Applied:
After updating to 4.7.0, attempt to upload a backup with shell metacharacters in filename - it should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Backup upload requests with unusual filenames containing $(, `, ; characters
- Unexpected shell commands executed from Runtipi backup processes
- Failed backup restore attempts with error messages
Network Indicators:
- HTTP POST requests to /api/backup/upload endpoint with suspicious filenames
- Outbound connections from Runtipi server to unexpected destinations
SIEM Query:
source="runtipi" AND (filename="*$(*" OR filename="*`*" OR filename="*;*")