CVE-2026-42461
published 2026-05-09CVE-2026-42461: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.31%
22.6th percentile
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice — not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getarcane | arcane | < 1.18.0 | 1.18.0 |
| getarcaneapp | arcane | < 1.18.0 | 1.18.0 |
| github.com | getarcaneapp_arcane_backend | >= 0 < 1.18.0 | 1.18.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getarcaneapp arcane up to 1.17.x redirect.util.ts authorization (GHSA-cxx3-hr75-4q96)
vuldb·2026-05-09·CVSS 8.7
CVE-2026-42461 [HIGH] getarcaneapp arcane up to 1.17.x redirect.util.ts authorization (GHSA-cxx3-hr75-4q96)
A vulnerability was found in getarcaneapp arcane up to 1.17.x and classified as problematic. This issue affects some unknown processing in the library frontend/src/lib/utils/redirect.util.ts. Such manipulation leads to missing authorization.
This vulnerability is documented as CVE-2026-42461. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
ghsa·2026-04-30
CVE-2026-42461 [HIGH] CWE-862 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
### Summary
Four `GET` endpoints under `/api/templates*` in Arcane's Huma backend are registered without any `Security` requirement, allowing any unauthenticated network client to list and read the full Compose YAML and `.env` content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's *real* env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice — not a theoretical info-disclosure.
The frontend explicitly treats `/customize/templates/*` as an authenticated area (`PROTECTED
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-09
Published