Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice — not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0.
Published: 2026-05-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arcane's Huma backend exposes four GET endpoints under /api/templates* that lack authentication. An unauthenticated client can retrieve the full Compose YAML and .env files for every custom template stored in the system. Because the UI flow Save as Template persists operator-provided environment variables verbatim, the disclosed data includes database passwords, API keys, and other confidential information. This flaw is a classic missing authorization error (CWE‑862) that directly leads to uncontrolled information disclosure of sensitive operator secrets.

Affected Systems

The vulnerability affects all installations of Arcane prior to version 1.18.0, produced by getarcaneapp. Versions 1.18.0 and later contain a patch that restricts access to the /api/templates endpoints and requires proper authentication for all CRUD operations.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. An attacker does not need credentials; sending unauthenticated HTTP GET requests to the vulnerable endpoints over the network is sufficient to obtain sensitive configuration data. The attack can be performed from any host that can reach the Arcane API, and no additional prerequisites are required.

Generated by OpenCVE AI on May 9, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arcane to version 1.18.0 or later, as provided by getarcaneapp's patch.
  • If an immediate upgrade is not possible, block unauthenticated access to the /api/templates endpoints using a firewall or reverse proxy to prevent unauthorized GET requests.
  • Confirm that the backend enforces authentication and bearer/API key validation on all CRUD endpoints; review and adjust access controls as necessary to eliminate missing authorization.

Generated by OpenCVE AI on May 9, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cxx3-hr75-4q96 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice — not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0.
Title Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:30:13.371Z

Reserved: 2026-04-27T13:55:58.694Z

Link: CVE-2026-42461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:26.103

Modified: 2026-05-09T04:16:26.103

Link: CVE-2026-42461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:00:12Z

Weaknesses