CVE-2026-25116 – CVE-2026-25116 is an unauthenticated path trave... (How to Fix)

Q: What is the severity of CVE-2026-25116?

CVE-2026-25116 has a CVSS score of 7.6 (HIGH). CVE-2026-25116 is an unauthenticated path traversal vulnerability in Runtipi homeserver orchestrator that allows remote attackers to overwrite the docker-compose.yml configuration file. This leads to remote code execution and host filesystem compromise when the instance is restarted. All Runtipi instances running versions 4.5.0 through 4.7.1 are affected.

📋 TL;DR

CVE-2026-25116 is an unauthenticated path traversal vulnerability in Runtipi homeserver orchestrator that allows remote attackers to overwrite the docker-compose.yml configuration file. This leads to remote code execution and host filesystem compromise when the instance is restarted. All Runtipi instances running versions 4.5.0 through 4.7.1 are affected.

💻 Affected Systems

Products:

Runtipi

Versions: 4.5.0 through 4.7.1

Operating Systems: Linux, Docker-compatible systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Runtipi by Runtipi

View all CVEs affecting Runtipi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root-level access to the host, deploying malicious containers, stealing sensitive data, and establishing persistent backdoors.

🟠

Likely Case

Attackers deploy cryptocurrency miners, ransomware, or botnet clients on vulnerable systems, causing resource exhaustion and potential data loss.

🟢

If Mitigated

Attack attempts are detected and blocked by network controls, with no successful exploitation due to proper segmentation and monitoring.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and remotely exploitable, making internet-facing instances immediate targets.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires simple HTTP requests with path traversal payloads. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.2

Vendor Advisory: https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Runtipi to version 4.7.2 using your deployment method. 3. Restart the Runtipi service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Runtipi management interface to trusted IPs only

iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

File Permission Hardening

linux

Set strict permissions on docker-compose.yml to prevent unauthorized writes

chmod 600 /path/to/docker-compose.yml
chown root:root /path/to/docker-compose.yml

🧯 If You Can't Patch

Isolate Runtipi instance on separate network segment with strict firewall rules
Implement application-level WAF with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check Runtipi version via web interface or configuration files. Versions 4.5.0 through 4.7.1 are vulnerable.

Check Version:

docker exec runtipi-app cat /app/package.json | grep version

Verify Fix Applied:

Confirm version is 4.7.2 or higher. Test path traversal attempts should be rejected with proper error handling.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with '../' sequences in URL parameters
Unauthorized write attempts to docker-compose.yml
Unexpected container restarts or new container deployments

Network Indicators:

HTTP POST/PUT requests to UserConfigController endpoints with path traversal payloads
Unusual outbound connections from Runtipi host after restart

SIEM Query:

source="runtipi" AND (url="*../*" OR event="*docker-compose*" OR status=500)

📊 Metadata

CVE ID: CVE-2026-25116

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE: CWE-22

EPSS Score: 0.19% exploit probability (40.7th percentile)

Published: January 29, 2026

Last Updated: February 26, 2026

🔗 References

https://github.com/runtipi/runtipi/releases/tag/v4.7.2 Product,Release Notes
https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25116, you might also want to check these: