CVE-2026-47125
published 2026-05-29CVE-2026-47125: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables…
PriorityP358high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.24%
15.6th percentile
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference via ${VAR} in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects. This vulnerability is fixed in 1.19.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getarcaneapp | arcane | < 1.19.2 | 1.19.2 |
| github.com | getarcaneapp_arcane_backend | >= 0 < 1.19.2 | 1.19.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getarcaneapp arcane up to 1.19.1 variables REGISTRY/IMAGE/DATABASE_URL/SECRET_KEY authorization (GHSA-jpjh-jm2p-39hh)
vuldb·2026-05-29·CVSS 8.8
CVE-2026-47125 [HIGH] getarcaneapp arcane up to 1.19.1 variables REGISTRY/IMAGE/DATABASE_URL/SECRET_KEY authorization (GHSA-jpjh-jm2p-39hh)
A vulnerability has been found in getarcaneapp arcane up to 1.19.1 and classified as critical. This impacts an unknown function of the file /api/environments/{id}/templates/variables. This manipulation of the argument REGISTRY/IMAGE/DATABASE_URL/SECRET_KEY causes missing authorization.
This vulnerability is handled as CVE-2026-47125. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
Arcane: Missing admin authorization on global variables endpoint
ghsa·2026-05-23
CVE-2026-47125 [HIGH] CWE-862 Arcane: Missing admin authorization on global variables endpoint
Arcane: Missing admin authorization on global variables endpoint
## Summary
The `PUT /api/environments/{id}/templates/variables` endpoint, which writes the system-wide `.env.global` file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like `REGISTRY`, `IMAGE`, `DATABASE_URL`, or `SECRET_KEY` that other users reference via `${VAR}` in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects.
## Details
The
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published