CVE-2026-47125: CWE-862: Missing Authorization in getarcaneapp arcane
Arcane versions prior to 1. 19. 2 have a missing authorization check in the PUT /api/environments/{id}/templates/variables endpoint. This endpoint allows writing to the system-wide . env. global file, which is used for variable substitution in all project compose files. Any authenticated non-admin user can exploit this to overwrite global environment variables, potentially redirecting image pulls, exfiltrating credentials, or disrupting projects. The vulnerability is fixed in version 1. 19. 2.
AI Analysis
Technical Summary
CVE-2026-47125 is a missing authorization vulnerability (CWE-862) in the Arcane application before version 1.19.2. The affected endpoint PUT /api/environments/{id}/templates/variables allows authenticated non-admin users to overwrite the .env.global file, which is merged into every project's Docker compose file. This can lead to supply-chain attacks by redirecting image pulls to attacker-controlled registries, exfiltration of sensitive database credentials, and disruption of all projects relying on these environment variables. The CVSS 3.1 score is 8.8 (high severity) with network attack vector, low attack complexity, and requiring low privileges but no user interaction. The vulnerability is fixed in version 1.19.2.
Potential Impact
An attacker with any authenticated non-admin access can overwrite global environment variables used by all projects, enabling supply-chain remote code execution on the Docker host, credential theft, and widespread disruption of container deployments. This compromises confidentiality, integrity, and availability of the affected systems.
Mitigation Recommendations
Upgrade Arcane to version 1.19.2 or later, where this missing authorization check vulnerability is fixed. Until then, restrict access to authenticated users carefully and monitor for unauthorized changes to environment variables. Patch status is confirmed fixed in 1.19.2.
CVE-2026-47125: CWE-862: Missing Authorization in getarcaneapp arcane
Description
Arcane versions prior to 1. 19. 2 have a missing authorization check in the PUT /api/environments/{id}/templates/variables endpoint. This endpoint allows writing to the system-wide . env. global file, which is used for variable substitution in all project compose files. Any authenticated non-admin user can exploit this to overwrite global environment variables, potentially redirecting image pulls, exfiltrating credentials, or disrupting projects. The vulnerability is fixed in version 1. 19. 2.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47125 is a missing authorization vulnerability (CWE-862) in the Arcane application before version 1.19.2. The affected endpoint PUT /api/environments/{id}/templates/variables allows authenticated non-admin users to overwrite the .env.global file, which is merged into every project's Docker compose file. This can lead to supply-chain attacks by redirecting image pulls to attacker-controlled registries, exfiltration of sensitive database credentials, and disruption of all projects relying on these environment variables. The CVSS 3.1 score is 8.8 (high severity) with network attack vector, low attack complexity, and requiring low privileges but no user interaction. The vulnerability is fixed in version 1.19.2.
Potential Impact
An attacker with any authenticated non-admin access can overwrite global environment variables used by all projects, enabling supply-chain remote code execution on the Docker host, credential theft, and widespread disruption of container deployments. This compromises confidentiality, integrity, and availability of the affected systems.
Mitigation Recommendations
Upgrade Arcane to version 1.19.2 or later, where this missing authorization check vulnerability is fixed. Until then, restrict access to authenticated users carefully and monitor for unauthorized changes to environment variables. Patch status is confirmed fixed in 1.19.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T19:50:18.694Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19cdf6e29bf47b50fb479c
Added to database: 5/29/2026, 5:33:42 PM
Last enriched: 5/29/2026, 5:49:09 PM
Last updated: 5/29/2026, 6:48:12 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.