CVE-2026-45625
published 2026-05-29CVE-2026-45625: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints…
PriorityP270critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.39%
30.6th percentile
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker's host — producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getarcaneapp | arcane | < 1.19.0 | 1.19.0 |
| github.com | getarcaneapp_arcane_backend | >= 0 < 1.19.0 | 1.19.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getarcaneapp arcane up to 1.18.x git-repositories authorization (GHSA-7h26-hg47-p9hx)
vuldb·2026-05-29·CVSS 9.9
CVE-2026-45625 [CRITICAL] getarcaneapp arcane up to 1.18.x git-repositories authorization (GHSA-7h26-hg47-p9hx)
A vulnerability classified as critical was found in getarcaneapp arcane up to 1.18.x. This vulnerability affects unknown code of the file /api/customize/git-repositories. Such manipulation leads to missing authorization.
This vulnerability is traded as CVE-2026-45625. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
ghsa·2026-05-18
CVE-2026-45625 [CRITICAL] CWE-862 Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
## Summary
Arcane's huma-based REST API exposes nine endpoints under `/api/customize/git-repositories` and `/api/git-repositories/sync` for managing GitOps source repositories and their stored credentials. Eight of those endpoints (`list`, `create`, `get`, `update`, `delete`, `test`, `listBranches`, `browseFiles`) never call the `checkAdmin(ctx)` helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the `admin` role. As a result, any logged-in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published