Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference via ${VAR} in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects.
Details
The endpoint is registered at backend/internal/huma/handlers/templates.go:374:
huma.Register(api, huma.Operation{
OperationID: "updateGlobalVariables",
Method: "PUT",
Path: "/environments/{id}/templates/variables",
...
Security: []map[string][]string{
{"BearerAuth": {}},
{"ApiKeyAuth": {}},
},
}, h.UpdateGlobalVariables)The handler at backend/internal/huma/handlers/templates.go:889 performs no role check:
func (h *TemplateHandler) UpdateGlobalVariables(ctx context.Context, input *UpdateGlobalVariablesInput) (*UpdateGlobalVariablesOutput, error) {
if h.templateService == nil {
return nil, huma.Error500InternalServerError("service not available")
}
if input.EnvironmentID != "0" {
return h.updateGlobalVariablesForRemoteEnvironmentInternal(ctx, input)
}
if err := h.templateService.UpdateGlobalVariables(ctx, input.Body.Variables); err != nil {
return nil, huma.Error500InternalServerError((&common.GlobalVariablesUpdateError{Err: err}).Error())
}
...
}This is anomalous compared to every other admin-sensitive handler in the codebase, all of which begin with if err := checkAdmin(ctx); err != nil { return nil, err } (see users.go, events.go, swarm.go, settings.go, apikeys.go, environments.go, notifications.go, container_registries.go, git_repositories.go, system.go). The helper exists at backend/internal/huma/handlers/helpers.go:12 but is never invoked from templates.go.
The auth middleware at backend/internal/huma/middleware/auth.go:192-254 only validates that *some* authenticated user is present (Bearer JWT, API key, or environment access token); it does not enforce roles. Role enforcement is the responsibility of each handler.
That this endpoint is intended to be admin-only is evidenced by the UI customization search at backend/internal/huma/handlers/customize.go:82-91 and :106-114, which explicitly hides the variables and registries categories from non-admin users:
if !humamw.IsAdminFromContext(ctx) {
filtered := []category.Category{}
for _, cat := range results.Results {
if cat.ID != "registries" && cat.ID != "variables" {
filtered = append(filtered, cat)
}
}
results.Results = filtered
...
}The corresponding container_registries.go handlers all enforce admin via checkAdmin() (e.g. container_registries.go:273,329,360,387,442); the equivalent enforcement for the global-variables write was forgotten.
The service layer at backend/internal/services/template_service.go:1107 writes attacker-supplied keys/values to <projectsDirectory>/.env.global:
func (s *TemplateService) UpdateGlobalVariables(ctx context.Context, vars []env.Variable) error {
envPath, err := s.getGlobalVariablesPath(ctx)
...
for _, v := range vars {
if strings.TrimSpace(v.Key) == "" { continue }
key := strings.TrimSpace(v.Key)
value := strings.TrimSpace(v.Value)
if strings.ContainsAny(value, " \t\n\r#") {
value = fmt.Sprintf(`"%s"`, strings.ReplaceAll(value, `"`, `\"`))
}
_, _ = fmt.Fprintf(&builder, "%s=%s\n", key, value)
}
if err := projects.WriteFileWithPerm(envPath, builder.String(), common.FilePerm); err != nil { ... }
}That file is then loaded for every project at deploy time via backend/pkg/projects/env.go:65-82 (EnvLoader.LoadEnvironment → loadAndMergeGlobalEnv):
if strings.TrimSpace(l.projectsDir) != "" {
globalEnvPath := filepath.Join(l.projectsDir, GlobalEnvFileName)
if err := l.loadAndMergeGlobalEnv(ctx, globalEnvPath, envMap, injectionVars); err != nil ...
}loadAndMergeGlobalEnv (env.go:94-125) populates both envMap (used by compose-go for ${VAR} substitution in compose files) and injectionVars (auto-injected into containers). The result: a single non-admin write to the global variables endpoint changes the resolved compose state of every project on the host.
Additionally, the key field is only strings.TrimSpace'd (template_service.go:1128); embedded newlines inside the key are not removed, so a key like "FOO\nINJECTED" will write two lines into .env.global, allowing arbitrary key injection and overwrite of variables an attacker did not include in their request body.
Impact
- Cross-project supply-chain RCE on the Docker host. Compose files commonly reference
${REGISTRY}/${IMAGE}:${TAG}. By pointingREGISTRY(orIMAGE) at an attacker-controlled registry, the next deploy of any affected project pulls and runs attacker code with whatever privileges Arcane gives that container (commonly Docker socket access, host volume mounts, etc.). - Credential theft from other users' projects. Variables like
DATABASE_URL,SMTP_HOST,WEBHOOK_URL,S3_ENDPOINTcan be redirected to attacker-controlled servers; the next deploy will hand the new connection strings to applications that then submit credentials/data to the attacker. - Cross-tenant integrity and availability. A single non-admin user can corrupt
.env.globalto break every project on the instance. - Bypass of intended privilege boundary. The UI explicitly hides the variables and registries surfaces from non-admins, indicating these are admin-only controls; this finding closes the gap between the documented privilege model and the API enforcement.
The privilege delta is significant: the project clearly distinguishes admin from non-admin users (separate roles, admin-only UI categories, checkAdmin() enforced on dozens of other endpoints), yet this endpoint grants a non-admin the ability to execute attacker-controlled images on the host on behalf of every other tenant.
AnalysisAI
Privilege escalation in Arcane Docker management platform (backend <= 1.19.1) allows any authenticated non-admin user to overwrite the system-wide .env.global file via the PUT /api/environments/{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.
Technical ContextAI
Arcane is a Go-based Docker/compose management application built on the Huma API framework. The vulnerability is a textbook CWE-862 (Missing Authorization): the Huma auth middleware at backend/internal/huma/middleware/auth.go only verifies that the caller presents a valid Bearer JWT, API key, or environment access token, leaving role enforcement to each individual handler via the helpers.go:12 checkAdmin() helper. The updateGlobalVariables handler at templates.go:889 omits this call, so the request reaches TemplateService.UpdateGlobalVariables (template_service.go:1107) which writes caller-supplied key=value pairs to <projectsDirectory>/.env.global. That file is then consumed by pkg/projects/env.go's EnvLoader.loadAndMergeGlobalEnv, populating both the compose-go ${VAR} substitution map and the auto-injected container env map for every project on the host. A secondary defect - keys are only TrimSpace'd, not newline-sanitized - additionally enables embedded-newline key injection. Affected package per CPE is pkg:go/github.com/getarcaneapp/arcane/backend.
RemediationAI
Upgrade the Arcane backend to vendor-released patch 1.19.2 or later, as published in GHSA-jpjh-jm2p-39hh (https://github.com/getarcaneapp/arcane/security/advisories/GHSA-jpjh-jm2p-39hh). If immediate upgrade is not possible, restrict reachability of the PUT /api/environments/{id}/templates/variables endpoint at a reverse proxy (e.g., block or admin-IP-allowlist that path) - note this also blocks legitimate admin updates via the API and the UI's variables panel, so changes must be made out-of-band until patched. As an interim hardening measure, revoke or rotate API keys held by non-admin users and audit existing .env.global contents against a known-good baseline plus inspect compose files for unexpected ${REGISTRY}/${IMAGE} substitution and any deploys that pulled from unexpected registries. Permissions on the projects directory cannot fully mitigate this because the writes are performed by the Arcane process itself.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33370
GHSA-jpjh-jm2p-39hh