Skip to main content

Arcane Backend CVE-2026-45627

| EUVDEUVD-2026-33371 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 https://github.com/getarcaneapp/arcane GHSA-q2pj-8v84-9mh5
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 15:00 vuln.today
Analysis Generated
May 18, 2026 - 15:00 vuln.today

DescriptionGitHub Advisory

Summary

The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account.

Details

The route is registered in backend/internal/huma/handlers/appimages.go:53-61 with an explicitly empty security requirement, marking it as public:

go
huma.Register(api, huma.Operation{
    OperationID: "get-logo",
    Method:      http.MethodGet,
    Path:        "/app-images/logo",
    ...
    Security:    []map[string][]string{}, // explicit: no auth
}, h.GetLogo)

backend/internal/huma/middleware/auth.go:209-213 honors the empty Security value by returning reqs.isRequired == false and short-circuiting with next(ctx), so no JWT/API-key check runs.

GetLogoInput.Color (appimages.go:23) is declared with no validation tags:

go
type GetLogoInput struct {
    Full  bool   `query:"full" default:"false" ...`
    Color string `query:"color" doc:"Optional accent color override ..."`
}

The handler passes the value straight through getImageWithColorApplicationImagesService.GetImageWithColorapplyAccentColorToSVG (backend/internal/services/app_images_service.go:79-105):

go
svgStr = strings.ReplaceAll(svgStr, "fill:#6D28D9", fmt.Sprintf("fill:%s", accentColor))
svgStr = strings.ReplaceAll(svgStr, "fill:#6d28d9", fmt.Sprintf("fill:%s", accentColor))

The bundled backend/resources/images/logo.svg contains:

xml
<style id="style1" type="text/css">.st0{fill:#6d28d9}</style>

so a color value like red}</style><script>fetch('/api/users',...)</script><style>x{ produces a valid SVG that closes the <style> element and embeds a <script> element. The response Content-Type is image/svg+xml (from pkg/utils/image/image_util.go), and a grep of the backend confirms no Content-Security-Policy, X-Content-Type-Options, or framing headers are emitted on any route.

Browsers execute scripts in SVG documents loaded as top-level navigations or via <iframe src=…> / window.open(…). The execution context is origin(arcane-host), so the victim's __Host-token / token HttpOnly JWT cookie (recognized by extractTokenFromCookieHeaderInternal at auth.go:274-286) is automatically attached to subsequent same-origin fetch() calls. From there the attacker can invoke any privileged API the victim possesses - most damagingly POST /api/users to create a new admin account, after which the attacker has standalone admin access to manage Docker containers, registries, GitOps secrets, and SSH/registry credentials stored by Arcane.

Impact

  • Same-origin script execution from an unauthenticated, reachable URL - only user interaction (clicking/visiting the crafted link) is required.
  • Full session-riding against any authenticated user, including admins. Because Arcane manages Docker daemons, container exec, image registries, and GitOps repositories, an attacker who lands script execution as an admin victim can:
  • Create persistent attacker-controlled admin accounts via POST /api/users.
  • Read/modify secrets stored in environments, registries, and Git repositories the admin can access.
  • Start or exec into containers on connected Docker hosts.
  • HttpOnly cookies do not mitigate the issue - cookies are auto-attached to same-origin fetch(). Absence of CSP and X-Content-Type-Options: nosniff removes available defenses-in-depth.

Defense-in-depth - add to all responses (and especially to /api/app-images/*):

  • X-Content-Type-Options: nosniff
  • Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data: on the SVG image responses (or the most permissive policy compatible with the frontend on app routes).
  • Consider serving these images with Content-Disposition: inline and from a separate cookie-less origin to remove the same-origin session-riding primitive entirely.

Also enforce the same allowlist on the settings write path (SettingsServiceAccentColor) so a stored XSS variant cannot be introduced via the settings API.

AnalysisAI

Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.

Technical ContextAI

Arcane Backend is a Go-based container management platform that provides Docker daemon control, registry management, and GitOps functionality. The vulnerability stems from unsafe string substitution in SVG processing where user-controlled input is inserted directly into a style element without escaping. The affected component (pkg:go/github.com_getarcaneapp_arcane_backend) serves SVG images with content-type image/svg+xml, and modern browsers execute JavaScript within SVG documents when loaded as top-level resources. The CWE-79 classification indicates improper neutralization of input during web page generation, a classic XSS pattern.

RemediationAI

Upgrade Arcane Backend to version 1.19.0 or later, which contains the fix for this vulnerability. Until upgrade is possible, implement these specific mitigations: configure a reverse proxy to add security headers including X-Content-Type-Options: nosniff and Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data: for all /api/app-images/* endpoints. Additionally, consider serving image endpoints from a separate subdomain without cookie access to prevent session riding. Monitor access logs for requests to /api/app-images/logo with suspicious color parameters containing script tags or style closures.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-45627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy