What is the CVSS score of CVE-2026-40242?

CVE-2026-40242 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Docker are affected by CVE-2026-40242?

Arcane Docker management interface versions before 1.17.3 contain an unauthenticated server-side request forgery vulnerability that allows remote attackers to access internal network resources and…. A patch is available.

Is there a public PoC exploit available for CVE-2026-40242?

Yes, a public proof-of-concept exploit is available for CVE-2026-40242. Prioritise patching immediately. EPSS: 0.0%.

Docker CVE-2026-40242

EUVD-2026-21599 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-10 GitHub_M

GHSA-ff24-4prj-gpmj

Docker SSRF

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 19:07 vuln.today

cvss_changed

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 21:00 euvd

EUVD-2026-21599

Analysis Generated

Apr 10, 2026 - 21:00 vuln.today

CVE Published

Apr 10, 2026 - 20:34 nvd

HIGH 7.2

DescriptionNVD

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

AnalysisAI

Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. …

RemediationAI

Within 24 hours: Identify all Arcane Docker instances and document current versions via 'docker inspect' or management console. Within 7 days: Contact Arcane vendor for patch availability timeline and interim guidance; implement network-layer restrictions to the /api/templates/fetch endpoint (firewall rules, WAF blocks on that URI). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40242 vulnerability details – vuln.today

Back

Docker CVE-2026-40242

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code