CVE-2026-40242: CWE-918: Server-Side Request Forgery (SSRF) in getarcaneapp arcane
CVE-2026-40242 is a high-severity unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Arcane versions prior to 1. 17. 3. The vulnerability exists in the /api/templates/fetch endpoint, which accepts a user-supplied URL parameter and performs an HTTP GET request without authentication or validation of the URL scheme or host. The server's response is returned directly to the caller, potentially allowing attackers to induce the server to make arbitrary HTTP requests. This issue is fixed in Arcane version 1. 17. 3.
AI Analysis
Technical Summary
Arcane, a Docker management interface, has an SSRF vulnerability (CWE-918) in versions before 1.17.3. The /api/templates/fetch endpoint accepts a URL parameter and performs an unauthenticated server-side HTTP GET request without validating the URL scheme or host. This allows an attacker to cause the server to make arbitrary HTTP requests and return the response to the attacker. The vulnerability affects any publicly reachable Arcane instance and is resolved in version 1.17.3.
Potential Impact
An attacker can exploit this vulnerability to make the Arcane server perform arbitrary HTTP GET requests to internal or external resources. This can lead to information disclosure (confidentiality impact) and integrity impact due to the server acting on attacker-controlled URLs. There is no direct availability impact reported. The vulnerability is unauthenticated and remotely exploitable, increasing its risk.
Mitigation Recommendations
This vulnerability is fixed in Arcane version 1.17.3. Users should upgrade to version 1.17.3 or later to remediate this issue. Since no official patch links or vendor advisory details are provided, confirm patch availability from the vendor or official sources before upgrading. Patch status is not yet confirmed in the provided data — check the vendor advisory for current remediation guidance.
CVE-2026-40242: CWE-918: Server-Side Request Forgery (SSRF) in getarcaneapp arcane
Description
CVE-2026-40242 is a high-severity unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Arcane versions prior to 1. 17. 3. The vulnerability exists in the /api/templates/fetch endpoint, which accepts a user-supplied URL parameter and performs an HTTP GET request without authentication or validation of the URL scheme or host. The server's response is returned directly to the caller, potentially allowing attackers to induce the server to make arbitrary HTTP requests. This issue is fixed in Arcane version 1. 17. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Arcane, a Docker management interface, has an SSRF vulnerability (CWE-918) in versions before 1.17.3. The /api/templates/fetch endpoint accepts a URL parameter and performs an unauthenticated server-side HTTP GET request without validating the URL scheme or host. This allows an attacker to cause the server to make arbitrary HTTP requests and return the response to the attacker. The vulnerability affects any publicly reachable Arcane instance and is resolved in version 1.17.3.
Potential Impact
An attacker can exploit this vulnerability to make the Arcane server perform arbitrary HTTP GET requests to internal or external resources. This can lead to information disclosure (confidentiality impact) and integrity impact due to the server acting on attacker-controlled URLs. There is no direct availability impact reported. The vulnerability is unauthenticated and remotely exploitable, increasing its risk.
Mitigation Recommendations
This vulnerability is fixed in Arcane version 1.17.3. Users should upgrade to version 1.17.3 or later to remediate this issue. Since no official patch links or vendor advisory details are provided, confirm patch availability from the vendor or official sources before upgrading. Patch status is not yet confirmed in the provided data — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.785Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d962a81cc7ad14dae87051
Added to database: 4/10/2026, 8:50:48 PM
Last enriched: 4/10/2026, 9:05:45 PM
Last updated: 4/10/2026, 11:21:15 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.