CVE-2026-42461: CWE-862: Missing Authorization in getarcaneapp arcane
Arcane versions prior to 1. 18. 0 have a missing authorization vulnerability in four GET endpoints under /api/templates*. These endpoints allow unauthenticated network clients to read the full Compose YAML and . env content of every custom template stored in the instance. Since the UI saves sensitive operator environment content such as database passwords and API keys verbatim in these templates, this results in an unauthenticated disclosure of operator secrets. The backend authorization gap contrasts with the frontend's intended protection of these resources. This issue has been fixed in Arcane version 1. 18. 0.
AI Analysis
Technical Summary
Arcane is a Docker management interface. Before version 1.18.0, four GET endpoints under /api/templates* in its backend lacked any security requirements, enabling unauthenticated users to list and read all custom templates including sensitive environment variables. The frontend treats these endpoints as protected and requires authentication for CRUD operations, indicating this was an unintended backend authorization omission. The vulnerability allows unauthenticated remote attackers to access operator secrets stored in templates. This missing authorization vulnerability (CWE-862) has been patched in version 1.18.0.
Potential Impact
Unauthenticated remote attackers can read sensitive operator secrets such as database passwords and API keys stored in custom templates. This leads to a high-impact information disclosure, potentially compromising the confidentiality of critical credentials used by the operator. The vulnerability affects all Arcane instances running versions prior to 1.18.0.
Mitigation Recommendations
Upgrade Arcane to version 1.18.0 or later, where this missing authorization vulnerability has been patched. No other mitigation is required as the fix addresses the authorization gap directly.
CVE-2026-42461: CWE-862: Missing Authorization in getarcaneapp arcane
Description
Arcane versions prior to 1. 18. 0 have a missing authorization vulnerability in four GET endpoints under /api/templates*. These endpoints allow unauthenticated network clients to read the full Compose YAML and . env content of every custom template stored in the instance. Since the UI saves sensitive operator environment content such as database passwords and API keys verbatim in these templates, this results in an unauthenticated disclosure of operator secrets. The backend authorization gap contrasts with the frontend's intended protection of these resources. This issue has been fixed in Arcane version 1. 18. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Arcane is a Docker management interface. Before version 1.18.0, four GET endpoints under /api/templates* in its backend lacked any security requirements, enabling unauthenticated users to list and read all custom templates including sensitive environment variables. The frontend treats these endpoints as protected and requires authentication for CRUD operations, indicating this was an unintended backend authorization omission. The vulnerability allows unauthenticated remote attackers to access operator secrets stored in templates. This missing authorization vulnerability (CWE-862) has been patched in version 1.18.0.
Potential Impact
Unauthenticated remote attackers can read sensitive operator secrets such as database passwords and API keys stored in custom templates. This leads to a high-impact information disclosure, potentially compromising the confidentiality of critical credentials used by the operator. The vulnerability affects all Arcane instances running versions prior to 1.18.0.
Mitigation Recommendations
Upgrade Arcane to version 1.18.0 or later, where this missing authorization vulnerability has been patched. No other mitigation is required as the fix addresses the authorization gap directly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-27T13:55:58.694Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ffe1b2cbff5d8610ead452
Added to database: 5/10/2026, 1:38:58 AM
Last enriched: 5/10/2026, 1:40:12 AM
Last updated: 5/10/2026, 8:40:34 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.