Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability.
Published: 2026-01-19
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized remote environment access
Action: Patch
AI Analysis

Impact

Arcane, a Docker management interface, allowed unauthorized requests to be forwarded to remote environment agents before authentication was applied. The flaw let an attacker reach agent endpoints such as container listings, log streams, and other management actions without credentials. This could expose sensitive data, permit malicious changes, or disrupt services, representing a critical lack of permission checks (CWE-306).

Affected Systems

The vulnerability affects the Arcane platform prior to version 1.13.2. Any deployment of Arcane older than this release is susceptible.

Risk and Exploitability

The CVSS base score is 8.0, indicating a high severity, while the EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. It is not featured in the CISA KEV catalog. The flaw can be triggered by sending HTTP requests to /api/environments/{id}/… on an unprotected Arcane instance, and the unauthenticated caller’s request is proxied to the remote environment with the agent token, thereby bypassing authentication controls.

Generated by OpenCVE AI on April 18, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Arcane platform to version 1.13.2 or later.
  • Configure the environment to enforce authentication before proxying environment requests.
  • Verify that manager‑held agent tokens are not appended to requests originating from unauthenticated users.

Generated by OpenCVE AI on April 18, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcane
Arcane arcane
CPEs cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*
Vendors & Products Arcane
Arcane arcane
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Mon, 19 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability.
Title Arcane allows unauthenticated proxy access to remote environments
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Arcane Arcane
Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:17:24.259Z

Reserved: 2026-01-19T14:49:06.311Z

Link: CVE-2026-23944

cve-icon Vulnrichment

Updated: 2026-01-21T21:17:20.107Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T22:16:02.603

Modified: 2026-02-02T15:19:05.360

Link: CVE-2026-23944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses