CVE-2026-45625 Overview
CVE-2026-45625 is a missing authorization vulnerability [CWE-862] in Arcane, an interface for managing Docker containers, images, networks, and volumes. Versions prior to 1.19.0 expose nine GitOps repository management endpoints under /api/customize/git-repositories and /api/git-repositories/sync without administrative role checks. Any authenticated user with the default user role can list, create, modify, delete, and test Git repository configurations. An attacker can repoint an existing repository to an attacker-controlled host and force Arcane to decrypt and transmit stored Personal Access Tokens (PATs) or SSH keys. The vulnerability is fixed in version 1.19.0.
Critical Impact
Authenticated low-privileged users can exfiltrate plaintext Git credentials stored by Arcane in a single API request, compromising connected source code repositories.
Affected Products
- Arcane versions prior to 1.19.0
- Arcane huma-based REST API GitOps endpoints
- Arcane stored Git PAT and SSH key credentials
Discovery Timeline
- 2026-05-29 - CVE-2026-45625 published to the National Vulnerability Database (NVD)
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-45625
Vulnerability Analysis
Arcane's huma-based REST API exposes nine endpoints for managing GitOps source repositories and their associated credentials. Eight of those endpoints — list, create, get, update, delete, test, listBranches, and browseFiles — fail to invoke the checkAdmin(ctx) helper used by every other admin-managed resource. Other resources such as container registries, environments, users, API keys, swarm, settings, system, notifications, and events all enforce administrative authorization. The huma authentication middleware enforces only authentication and intentionally does not enforce role-based access.
The vulnerability allows any logged-in user with the default user role to manipulate stored GitOps repository configurations. Because repositories store Personal Access Tokens and SSH keys for upstream Git providers, manipulation of these records exposes credentials that often grant broad access to source code, CI/CD pipelines, and downstream production systems.
Root Cause
The root cause is a missing authorization check [CWE-862] on GitOps endpoints. The UpdateRepository handler rewrites the stored token and sshKey fields only when they are explicitly supplied in the request body. An attacker can update the repository URL while omitting credential fields, leaving the encrypted credentials intact but now bound to a hostile remote.
Attack Vector
An authenticated low-privileged user issues an update request against an existing repository, replacing the upstream URL with an attacker-controlled host and omitting token and sshKey. On the next call to /test, /branches, or /files, Arcane decrypts the stored PAT or SSH key and presents it as HTTP Basic authentication or SSH key authentication against the attacker's host. The attacker captures the plaintext credential in a single round trip, with no additional user interaction required.
No verified public exploit code is available. See the GitHub Security Advisory for the vendor's technical write-up.
Detection Methods for CVE-2026-45625
Indicators of Compromise
- Outbound HTTPS or SSH connections from Arcane hosts to Git endpoints that do not match the organization's approved source forges.
- Modifications to records in the git_repositories table where the url field changes but token and sshKey ciphertext remain unchanged.
- API calls to /api/customize/git-repositories or /api/git-repositories/sync originating from sessions bound to non-admin users.
- Bursts of /test, /branches, or /files requests immediately following a repository update event.
Detection Strategies
- Audit Arcane access logs for write operations against /api/customize/git-repositories/* issued by accounts without the admin role.
- Correlate repository update events with subsequent test or sync calls to identify the credential-decryption trigger pattern.
- Inspect egress traffic from the Arcane host for connections to unexpected destinations on TCP 443 and 22.
Monitoring Recommendations
- Enable verbose audit logging on the Arcane API and forward events to a centralized log platform for retention and review.
- Alert on any change to url fields in stored Git repository records and require operator confirmation.
- Rotate stored Git PATs and SSH keys on any anomalous repository modification and review upstream Git provider audit logs for unauthorized clones or pulls.
How to Mitigate CVE-2026-45625
Immediate Actions Required
- Upgrade Arcane to version 1.19.0 or later, which adds the missing checkAdmin(ctx) enforcement on GitOps endpoints.
- Rotate every Git Personal Access Token and SSH key stored in Arcane, treating prior credentials as exposed.
- Review upstream Git provider audit logs for unauthorized authentication attempts originating from unexpected source IPs.
- Restrict the Arcane user base to trusted operators until the upgrade is applied.
Patch Information
The vendor fixed the vulnerability in Arcane 1.19.0. The patch adds administrative authorization checks to all GitOps repository endpoints. Refer to the GitHub Security Advisory GHSA-7h26-hg47-p9hx for vendor guidance and release details.
Workarounds
- Place Arcane behind a reverse proxy that blocks /api/customize/git-repositories and /api/git-repositories/sync for non-administrator sessions until upgrade.
- Remove all stored Git credentials from Arcane and use ephemeral, scoped tokens supplied at sync time where feasible.
- Disable or remove non-admin user accounts on Arcane instances that cannot be upgraded immediately.
# Example reverse proxy rule to block GitOps endpoints pending upgrade
location ~ ^/api/(customize/git-repositories|git-repositories/sync) {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
