Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker's host — producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arcane’s REST API exposes several Git repository management endpoints without enforcing admin authorization. Any logged‑in user with the default role can list, create, modify, delete, and test git repository configurations. An attacker can change a repository’s URL to point at a rogue host, omit token or SSH key fields, and when Arcane subsequently tests or lists branches, it decrypts the stored personal access token or SSH key and presents it to the attacker’s host as authentication, enabling a single‑step exfiltration of plaintext Git credentials and allowing unauthorized configuration changes.

Affected Systems

This issue affects the Arcane application from getarcaneapp, specifically all releases before version 1.19.0. Users running any 0.x or 1.18.x build are vulnerable.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated request from a non‑admin user to the exposed REST endpoints. Such a user can immediately download valid credentials and alter GitOps configurations, potentially leading to further infiltration of external Git or Docker registry services.

Generated by OpenCVE AI on May 29, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arcane to version 1.19.0 or later, which applies the missing checkAdmin guard on all Git repository endpoints.
  • Restrict access to the /api/customize/git-repositories and /api/git-repositories/sync endpoints so that only users with an administrative role can invoke them, or implement a network firewall rule to block non‑admin traffic to those paths.
  • Monitor for unexpected outbound connections from Arcane to external hosts and audit changes to Git repository configurations to detect potential credential exfiltration.

Generated by OpenCVE AI on May 29, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7h26-hg47-p9hx Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
History

Mon, 01 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker's host — producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0.
Title Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T15:21:59.466Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45625

cve-icon Vulnrichment

Updated: 2026-06-01T15:21:56.089Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.267

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses