📄 Description (English)
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.
🤖 AI Executive Summary
CVE-2026-24129 is a critical command injection vulnerability in Runtipi versions 3.7.0 and above that allows authenticated users to execute arbitrary system commands on the host server through maliciously crafted backup filenames. The vulnerability stems from insufficient input sanitization in the BackupManager component, enabling attackers to inject shell metacharacters into backup filenames that are executed during the restore process. With an active exploit available and affecting a widely-used homeserver orchestrator, this poses significant risk to organizations running Runtipi in production environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 18:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations operating Runtipi instances for infrastructure management and service orchestration. Government entities (NCA, CITC) using Runtipi for internal service management face significant risk of unauthorized system access and data exfiltration. Financial institutions and fintech companies leveraging Runtipi for backend infrastructure could experience compromise of payment processing systems and customer data. Healthcare organizations using Runtipi for medical data management systems are at risk of HIPAA-equivalent violations under Saudi healthcare regulations. Telecommunications providers and energy sector organizations (ARAMCO subsidiaries) running Runtipi for operational technology orchestration face critical infrastructure compromise risks. The vulnerability is particularly dangerous in multi-tenant environments where authenticated users from different departments could exploit this to gain host-level access.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry of Interior)
Banking and Financial Services (SAMA regulated institutions)
Healthcare (MOH, private hospitals)
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Education (Universities, research institutions)
Critical Infrastructure Operators
🎯 MITRE ATT&CK Techniques
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1190 - Exploit Public-Facing Application
T1068 - Exploitation for Privilege Escalation
T1543.002 - Create or Modify System Process: Systemd Service
T1547.001 - Boot or Logon Initialization Scripts: Logon Script (Unix)
T1070.004 - Indicator Removal: File Deletion
T1083 - File and Directory Discovery
T1005 - Data from Local System
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Runtipi instances running versions 3.7.0 through 4.6.x using: docker ps | grep runtipi and docker inspect <container_id> | grep -i version
2. Restrict access to backup functionality to trusted administrators only through role-based access controls
3. Disable backup/restore features if not actively required until patching is completed
4. Review backup logs for suspicious filenames containing shell metacharacters: $(, `, |, &, ;, >, <, newlines
PATCHING GUIDANCE:
1. Upgrade Runtipi to version 4.7.0 or later immediately
2. For Docker deployments: docker pull runtipi:4.7.0 && docker-compose up -d
3. Verify patch application: docker exec <container_id> runtipi --version
4. Test backup and restore functionality in non-production environment first
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement strict input validation on backup filenames using regex: ^[a-zA-Z0-9._-]+\.tar\.gz$ only
2. Run Runtipi container with restricted capabilities: --cap-drop=ALL --cap-add=NET_BIND_SERVICE
3. Use AppArmor or SELinux profiles to restrict backup process execution scope
4. Implement file integrity monitoring on backup directory: aide --init && aide --check
5. Monitor for command injection attempts in container logs: docker logs <container_id> | grep -E '\$\(|`|;|\||&'
DETECTION RULES:
1. Alert on backup filenames containing: $, `, |, &, ;, >, <, newline characters
2. Monitor process execution from backup restore operations for unexpected child processes
3. Log all backup upload/restore operations with full filename and user context
4. Alert on any restore operation taking longer than baseline (potential command execution)
5. Monitor for file creation in backup directory with non-standard permissions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Runtipi التي تعمل بالإصدارات 3.7.0 إلى 4.6.x باستخدام: docker ps | grep runtipi و docker inspect <container_id> | grep -i version
2. تقييد الوصول إلى وظيفة النسخ الاحتياطية للمسؤولين الموثوقين فقط من خلال عناصر التحكم في الوصول القائمة على الأدوار
3. تعطيل ميزات النسخ الاحتياطي/الاستعادة إذا لم تكن مطلوبة بنشاط حتى يتم إكمال التصحيح
4. مراجعة سجلات النسخ الاحتياطية للأسماء المريبة التي تحتوي على أحرف metacharacters: $(, `, |, &, ;, >, <, أسطر جديدة
إرشادات التصحيح:
1. ترقية Runtipi إلى الإصدار 4.7.0 أو أحدث على الفور
2. لنشر Docker: docker pull runtipi:4.7.0 && docker-compose up -d
3. التحقق من تطبيق التصحيح: docker exec <container_id> runtipi --version
4. اختبار وظيفة النسخ الاحتياطي والاستعادة في بيئة غير الإنتاج أولاً
عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ التحقق الصارم من صحة المدخلات على أسماء ملفات النسخ الاحتياطية باستخدام regex: ^[a-zA-Z0-9._-]+\.tar\.gz$ فقط
2. تشغيل حاوية Runtipi بقدرات مقيدة: --cap-drop=ALL --cap-add=NET_BIND_SERVICE
3. استخدام ملفات تعريف AppArmor أو SELinux لتقييد نطاق تنفيذ عملية النسخ الاحتياطي
4. تنفيذ مراقبة سلامة الملفات في دليل النسخ الاحتياطية: aide --init && aide --check
5. مراقبة محاولات حقن الأوامر في سجلات الحاوية: docker logs <container_id> | grep -E '\$\(|`|;|\||&'
قواعد الكشف:
1. تنبيه على أسماء ملفات النسخ الاحتياطية التي تحتوي على: $, `, |, &, ;, >, <, أحرف سطر جديد
2. مراقبة تنفيذ العملية من عمليات استعادة النسخ الاحتياطية للعمليات الفرعية غير المتوقعة
3. تسجيل جميع عمليات تحميل/استعادة النسخ الاحتياطية مع اسم الملف الكامل وسياق المستخدم
4. تنبيه على أي عملية استعادة تستغرق وقتاً أطول من خط الأساس (تنفيذ أوامر محتمل)
5. مراقبة إنشاء الملفات في دليل النسخ الاحتياطية بأذونات غير قياسية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (input validation and secure coding practices)
A.6.2.1 - Access Control (authentication and authorization for backup operations)
A.12.2.1 - Change Management (secure deployment of patches)
A.12.6.1 - Management of Technical Vulnerabilities (timely patching)
🔵 SAMA CSF
ID.GV-1 - Organizational context and governance (vulnerability management program)
PR.AC-1 - Access control policies and procedures
PR.DS-6 - Data is protected from unauthorized access (input validation)
DE.CM-8 - Vulnerability scans are performed (detection of exploitation attempts)
RS.RP-1 - Response plan is executed during or after an incident
🟡 ISO 27001:2022
A.5.1.1 - Information security policies (secure development practices)
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices (secure configuration)
A.12.2.1 - Change management procedures
A.12.6.1 - Management of technical vulnerabilities and exposures
A.14.2.1 - Secure development policy (input validation requirements)
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards (restrict backup access)
Requirement 2.1 - Default security parameters (disable unnecessary features)
Requirement 6.2 - Security patches (timely patching requirement)
Requirement 6.5.1 - Injection flaws prevention
Requirement 10.2.1 - User access logging (backup operations audit trail)
🔗 References & Sources 3
🔗
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
security-advisories@github.com
Patch
🔗
https://github.com/runtipi/runtipi/releases/tag/v4.7.0
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
security-advisories@github.com
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
runtipi:runtipi