Arcane Docker Manager CVE-2026-42461
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
Four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's *real* env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice - not a theoretical info-disclosure.
The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access.
Details
Affected file: backend/internal/huma/handlers/templates.go:194-228.
In RegisterTemplates, four huma.Register calls have no Security: block:
// templates.go
huma.Register(api, huma.Operation{
OperationID: "listTemplatesPaginated",
Method: "GET",
Path: "/templates",
...
// <-- no Security
}, h.ListTemplates)
huma.Register(api, huma.Operation{
OperationID: "getAllTemplates",
Method: "GET",
Path: "/templates/all",
...
}, h.GetAllTemplates)
huma.Register(api, huma.Operation{
OperationID: "getTemplate",
Method: "GET",
Path: "/templates/{id}",
...
}, h.GetTemplate)
huma.Register(api, huma.Operation{
OperationID: "getTemplateContent",
Method: "GET",
Path: "/templates/{id}/content",
...
}, h.GetTemplateContent)Arcane's auth bridge (backend/internal/huma/middleware/auth.go:168-172) only enforces authentication when the operation declares one of the security schemes (BearerAuth or ApiKeyAuth). With Security omitted, parseSecurityRequirements returns isRequired=false and the request flows through with no token check.
TemplateHandler.GetTemplateContent (templates.go:478-499) calls templateService.GetTemplateContentWithParsedData (backend/internal/services/template_service.go:1303-1347), which returns the model's Content, EnvContent, parsed services, and parsed env-variable key/value pairs verbatim. The model models.ComposeTemplate (backend/internal/models/template.go:15-16) stores Content and EnvContent as plain text columns and has no owner / user binding.
Impact
- Pre-auth confidentiality breach. An unauthenticated client on the same network (or through any path-unaware reverse proxy) recovers the full
envContentof every locally-stored Compose template. Because the supported "Save as Template" workflow takes the operator's real env values verbatim, this commonly includes database passwords, registry tokens, third-party API keys (Stripe, Sentry, etc.), and OIDC client secrets. - Internal asset enumeration.
GET /api/templatesreturns names, descriptions, tags, and registry metadata for every template, leaking what services the team runs internally and which compose files they reuse
AnalysisAI
Arcane's Huma backend exposes four GET endpoints (/api/templates*) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).
Technical ContextAI
The vulnerability lies in Arcane's Huma API framework integration. Four huma.Register() calls in backend/internal/huma/handlers/templates.go (lines 194-228) omit the required Security: declaration for operations listTemplatesPaginated, getAllTemplates, getTemplate, and getTemplateContent. Arcane's custom authentication middleware (backend/internal/huma/middleware/auth.go:168-172) only enforces token validation when the operation schema explicitly declares BearerAuth or ApiKeyAuth security requirements-the parseSecurityRequirements function returns isRequired=false when Security blocks are absent, allowing anonymous requests to proceed. The affected endpoints call templateService.GetTemplateContentWithParsedData() which retrieves Content and EnvContent fields from the models.ComposeTemplate database model. These text columns store Docker Compose YAML and .env file contents with no encryption or user ownership binding, making them globally readable once the authorization check is bypassed. This is a textbook broken access control (CWE-862) scenario where horizontal privilege checks exist for mutating operations (POST/PUT/DELETE all require auth) but read operations were incorrectly registered as public.
RemediationAI
Upgrade to Arcane version 1.18.0 or later, released by the vendor at https://github.com/getarcaneapp/arcane/releases/tag/v1.18.0. The patch adds Security requirement declarations to the four vulnerable GET endpoints in templates.go, enforcing bearer token or API key authentication. If immediate upgrade is not possible, implement one of these compensating controls: (1) Configure reverse proxy (nginx, Traefik, etc.) to require authentication headers for paths matching /api/templates* before forwarding to backend-note this requires validating the same bearer tokens Arcane expects, adding operational complexity. (2) Use network segmentation to restrict /api/* access to authenticated admin IPs only via firewall rules-breaks legitimate remote access workflows and does not scale for distributed teams. (3) Disable the template save feature in the UI and purge existing custom templates from the database if they contain secrets-operationally disruptive and requires manual secret rotation for any previously stored credentials. All workarounds carry significant operational trade-offs; vendor patch is the only complete solution. After patching, audit and rotate any secrets (database passwords, API keys, OAuth client secrets) that were previously stored in custom templates, as they should be considered compromised if the instance was network-accessible.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cxx3-hr75-4q96