CVE-2026-40242
published 2026-04-10CVE-2026-40242: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a…
PriorityP351medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
0.62%
45.2th percentile
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getarcane | arcane | < 1.17.3 | 1.17.3 |
| getarcaneapp | arcane | < 1.17.3 | 1.17.3 |
| github.com | getarcaneapp_arcane_backend | >= 0 < 1.17.3 | 1.17.3 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
ghsa·2026-04-10
CVE-2026-40242 [HIGH] CWE-918 Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
### Summary
The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance.
### Details
- No allowlist or denylist of destination hosts/CIDRs
- No requirement for the caller to be authenticated
Response handling produces four distinct outcomes observable by the caller:
- Valid JSON targets return a fully reflected response body if the returned fields fit the expected internal struct
- Non-JSON HTT
VulDB
getarcaneapp arcane up to 1.17.2 /api/templates/fetch url server-side request forgery (GHSA-ff24-4prj-gpmj)
vuldb·2026-04-10·CVSS 7.2
CVE-2026-40242 [HIGH] getarcaneapp arcane up to 1.17.2 /api/templates/fetch url server-side request forgery (GHSA-ff24-4prj-gpmj)
A vulnerability was found in getarcaneapp arcane up to 1.17.2 and classified as critical. This impacts an unknown function of the file /api/templates/fetch. Such manipulation of the argument url leads to server-side request forgery.
This vulnerability is listed as CVE-2026-40242. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
No detection rules found.
Nuclei
Arcane <= 1.17.2 - Server-Side Request Forgery
nuclei·CVSS 7.2
CVE-2026-40242 [HIGH] Arcane <= 1.17.2 - Server-Side Request Forgery
Arcane <= 1.17.2 - Server-Side Request Forgery
Arcane <= 1.17.3 contains an unauthenticated server-side request forgery caused by lack of URL scheme and host validation in /api/templates/fetch endpoint, letting remote attackers perform SSRF, exploit requires no authentication.
Template:
id: CVE-2026-40242
info:
name: Arcane <= 1.17.2 - Server-Side Request Forgery
author: 0x_Akoko
severity: high
description: |
Arcane <= 1.17.3 contains an unauthenticated server-side request forgery caused by lack of URL scheme and host validation in /api/templates/fetch endpoint, letting remote attackers perform SSRF, exploit requires no authentication.
impact: |
Remote attackers can make the server perform arbitrary HTTP requests, potentially accessing internal resources or sensitive data.
remediation:
No writeups or analysis indexed.
2026-04-10
Published