CVE-2026-45627 Overview
CVE-2026-45627 is a reflected cross-site scripting (XSS) vulnerability in Arcane, a web interface for managing Docker containers, images, networks, and volumes. The flaw resides in the unauthenticated GET /api/app-images/logo endpoint, which reflects a user-supplied color query parameter into an SVG document without escaping. An attacker can break out of the <style> block inside the embedded logo.svg and inject executable <script> content. The response is served as image/svg+xml without Content-Security-Policy or X-Content-Type-Options headers. Versions prior to 1.19.0 are affected.
Critical Impact
An attacker who lures an authenticated Arcane administrator to a crafted URL executes JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account.
Affected Products
- Arcane versions prior to 1.19.0
- The unauthenticated GET /api/app-images/logo endpoint
- Deployments exposing Arcane to untrusted networks or admin browsers
Discovery Timeline
- 2026-05-29 - CVE-2026-45627 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-45627
Vulnerability Analysis
The vulnerability is a reflected cross-site scripting flaw classified under [CWE-79]. Arcane's logo endpoint accepts a color query parameter and substitutes the value into the embedded logo.svg template using Go's strings.ReplaceAll. The substitution lands inside a <style> element of the SVG body. Because the value is not HTML-escaped or attribute-encoded, an attacker supplies input that terminates the <style> block and opens a <script> element. The server returns the document with Content-Type: image/svg+xml, and browsers render embedded SVG scripts in the document origin.
Root Cause
The root cause is unsafe string concatenation of untrusted input into a structured document. The handler treats the SVG template as plain text and performs naive replacement rather than parsing the SVG or encoding the user value for the target context. Arcane also omits hardening headers including Content-Security-Policy and X-Content-Type-Options: nosniff, removing defense-in-depth that would otherwise constrain inline script execution.
Attack Vector
The attack vector is network-based and requires user interaction from an authenticated administrator. An attacker crafts a URL pointing at /api/app-images/logo with a malicious color parameter containing SVG and script payloads. When a logged-in admin loads the URL, the browser executes attacker-controlled JavaScript inside Arcane's origin. The script reads application state through the same-origin policy and issues authenticated requests using the HttpOnly JWT cookie, which the browser attaches automatically. The attacker can create users, modify Docker resources, or pivot to managed containers. Technical specifics are documented in the GitHub Security Advisory GHSA-q2pj-8v84-9mh5.
Detection Methods for CVE-2026-45627
Indicators of Compromise
- HTTP requests to /api/app-images/logo containing color parameter values with <, >, /style, or script substrings
- Outbound connections from administrator browsers to untrusted hosts immediately after loading an Arcane URL
- Unexpected administrative actions, user creations, or container changes in Arcane audit logs
Detection Strategies
- Inspect reverse proxy and application access logs for query strings on /api/app-images/logo that include URL-encoded angle brackets or script keywords
- Alert on responses from Arcane with Content-Type: image/svg+xml whose body length exceeds the baseline size of logo.svg
- Correlate administrator session activity with referrer fields pointing to external domains
Monitoring Recommendations
- Forward Arcane and reverse proxy logs to a centralized analytics platform and retain query parameters
- Monitor for new admin accounts, API token creation, and container lifecycle events outside of change windows
- Track JWT cookie usage from IP addresses or user agents that deviate from known administrator baselines
How to Mitigate CVE-2026-45627
Immediate Actions Required
- Upgrade Arcane to version 1.19.0 or later, which fixes the unsafe substitution in the logo endpoint
- Restrict network access to the Arcane interface so only trusted administrative networks can reach it
- Rotate any JWT signing keys and force administrators to reauthenticate after patching
Patch Information
The vulnerability is fixed in Arcane 1.19.0. Upgrade instructions and the technical fix description are published in the GitHub Security Advisory GHSA-q2pj-8v84-9mh5. Operators running container images should pull the updated tag and redeploy.
Workarounds
- Place Arcane behind a reverse proxy that strips or validates the color query parameter on /api/app-images/logo
- Configure the proxy to inject a strict Content-Security-Policy and X-Content-Type-Options: nosniff on Arcane responses
- Require administrators to access Arcane only from dedicated browser profiles to limit cross-site interaction risk
# Example NGINX rule to block payloads in the color parameter
location /api/app-images/logo {
if ($arg_color ~* "[<>]|script|/style") {
return 400;
}
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'" always;
proxy_pass http://arcane_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
