Vulnerabilities ›

CVE-2026-42461

High

CWE-862 — Weakness Type

                    Published: May 9, 2026                      ·  Modified: May 16, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice — not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0.

🤖 AI Executive Summary

Arcane versions prior to 1.18.0 contain an unauthenticated information disclosure vulnerability in four GET endpoints under /api/templates* that expose full Docker Compose YAML and .env files containing sensitive credentials (database passwords, API keys). This is a critical authorization bypass affecting container management infrastructure used by DevOps and cloud teams. The vulnerability allows any network-accessible attacker to read operator secrets without authentication, despite the frontend treating these endpoints as protected.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 15, 2026 23:51

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Arcane for container orchestration face critical exposure of infrastructure secrets. Most at-risk sectors: (1) Banking/SAMA-regulated institutions using containerized microservices for payment systems and core banking; (2) Government agencies (NCA, CITC) managing cloud infrastructure; (3) Energy sector (ARAMCO, utilities) running containerized SCADA/ICS systems; (4) Telecom operators (STC, Mobily, Zain) managing containerized network services; (5) Healthcare providers managing patient data systems. Exposed .env files containing database credentials, API keys, and service tokens could enable lateral movement, data exfiltration, and supply chain compromise. The lack of authentication requirement means any internet-connected Arcane instance is vulnerable to reconnaissance by threat actors.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Energy and Utilities Telecommunications Healthcare Cloud Service Providers Technology and Software Development

🎯 MITRE ATT&CK Techniques

T1526 - Exposure of sensitive information in environment variables T1087 - Account discovery through exposed credentials T1589 - Gather victim identity information (credentials exposure) T1592 - Gather victim host information (infrastructure secrets) T1199 - Trusted relationship exploitation (using exposed API keys) T1021 - Remote services (lateral movement using exposed credentials) T1078 - Valid accounts (using exposed service credentials)

⚖️ Saudi Risk Score (AI)

8.7

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Arcane instances in your environment: scan for exposed /api/templates endpoints on ports 3000, 8080, or custom ports

2. Restrict network access to Arcane instances using firewall rules (WAF/network ACLs) - allow only trusted administrative IPs

3. Implement reverse proxy authentication (nginx/Apache with OAuth2/SAML) in front of Arcane until patching

4. Rotate all secrets exposed in templates: database passwords, API keys, service tokens, SSH keys

5. Review audit logs for unauthorized /api/templates* requests (look for GET requests from unexpected IPs)



PATCHING:

6. Upgrade to Arcane 1.18.0 or later immediately when available

7. Test patch in staging environment before production deployment



COMPENSATING CONTROLS (if patching delayed):

8. Deploy WAF rules blocking GET requests to /api/templates* paths

9. Implement API gateway authentication requiring Bearer tokens for all /api/templates* endpoints

10. Enable VPN/bastion host requirement for Arcane access

11. Monitor for suspicious template access patterns in logs



DETECTION RULES:

- Alert on any GET request to /api/templates* without Authorization header

- Alert on /api/templates* requests from non-whitelisted IPs

- Monitor for repeated 200 responses to /api/templates* endpoints

- Search logs for patterns: GET /api/templates/*/compose or GET /api/templates/*/env

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Arcane في بيئتك: امسح للبحث عن نقاط نهاية /api/templates المكشوفة على المنافذ 3000 أو 8080 أو المنافذ المخصصة

2. قيد الوصول إلى الشبكة لمثيلات Arcane باستخدام قواعد جدار الحماية (WAF/ACLs الشبكة) - السماح فقط لعناوين IP الإدارية الموثوقة

3. تنفيذ مصادقة reverse proxy (nginx/Apache مع OAuth2/SAML) أمام Arcane حتى التصحيح

4. تدوير جميع الأسرار المكشوفة في القوالب: كلمات مرور قواعد البيانات ومفاتيح API وتوكنات الخدمة

5. مراجعة سجلات التدقيق للطلبات غير المصرح بها /api/templates* (ابحث عن طلبات GET من عناوين IP غير متوقعة)

التصحيح:

6. ترقية إلى Arcane 1.18.0 أو إصدار أحدث فوراً عند توفره

7. اختبر التصحيح في بيئة التجميع قبل نشر الإنتاج

الضوابط البديلة (إذا تأخر التصحيح):

8. نشر قواعد WAF تحظر طلبات GET لمسارات /api/templates*

9. تنفيذ مصادقة بوابة API تتطلب Bearer tokens لجميع نقاط نهاية /api/templates*

10. تطلب متطلبات VPN/bastion host للوصول إلى Arcane

11. مراقبة أنماط الوصول إلى القوالب المريبة في السجلات

قواعد الكشف:

- تنبيه على أي طلب GET إلى /api/templates* بدون رأس Authorization

- تنبيه على طلبات /api/templates* من عناوين IP غير مدرجة في القائمة البيضاء

- مراقبة استجابات 200 المتكررة لنقاط نهاية /api/templates*

- البحث في السجلات عن الأنماط: GET /api/templates/*/compose أو GET /api/templates/*/env

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.6.1.1 - Information access control (unauthenticated access to sensitive data) ECC 2024 A.6.2.1 - User registration and access rights management (missing authentication) ECC 2024 A.8.2.1 - Classification of information (exposure of unclassified secrets) ECC 2024 A.12.4.1 - Event logging (insufficient access controls on API endpoints)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset management (uncontrolled exposure of infrastructure secrets) SAMA CSF PR.AC-1 - Access control policy (missing authentication on sensitive endpoints) SAMA CSF PR.AC-3 - Access enforcement (authorization bypass on /api/templates*) SAMA CSF DE.AE-1 - Anomalies and events detection (unauthenticated API access patterns)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties (missing access controls) ISO 27001:2022 A.8.1.1 - User endpoint devices (exposure of credentials in templates) ISO 27001:2022 A.8.2.1 - Privileged access rights (unauthenticated read of secrets) ISO 27001:2022 A.8.3.1 - Information access restriction (missing authentication requirement)

🟣 PCI DSS v4.0.1

PCI DSS 6.5.10 - Broken authentication (missing authentication on API endpoints) PCI DSS 7.1 - Limit access to cardholder data (unauthenticated exposure of credentials) PCI DSS 8.1 - Unique user ID (no authentication requirement for template access)

🔗 References & Sources 2

🔗

https://github.com/getarcaneapp/arcane/releases/tag/v1.18.0

security-advisories@github.com

Product Release Notes

🔗

https://github.com/getarcaneapp/arcane/security/advisories/GHSA-cxx3-hr75-4q96

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

getarcane:arcane

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-862

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-05-09

Source Feed nvd

🇸🇦 Saudi Risk Score

8.7

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-862

🏢 Vendor Advisories

🔗 https://github.com/getarcaneapp/arcane/security/advi...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-42461

Introduce Yourself

Sign In Required