CVE-2026-47125 Overview
Arcane is a web interface for managing Docker containers, images, networks, and volumes. CVE-2026-47125 is a missing authorization vulnerability [CWE-862] in the PUT /api/environments/{id}/templates/variables endpoint. The endpoint writes the system-wide .env.global file used for variable substitution in every project's compose file but lacks an admin authorization check. Any authenticated non-admin user can overwrite global environment variables that are merged into every project deployment. The flaw affects Arcane versions prior to 1.19.2.
Critical Impact
Authenticated low-privileged users can redirect image pulls to attacker-controlled registries, achieving supply-chain remote code execution on the Docker host and exfiltrating credentials across all projects.
Affected Products
- Arcane versions prior to 1.19.2
- Arcane Docker management interface deployments
- Multi-user Arcane installations with non-admin accounts
Discovery Timeline
- 2026-05-29 - CVE-2026-47125 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-47125
Vulnerability Analysis
The vulnerability resides in the PUT /api/environments/{id}/templates/variables REST endpoint. This endpoint manages the .env.global file, a system-wide configuration that Arcane merges into every project's Docker Compose file during variable substitution. The endpoint enforces authentication but omits the admin role check required for a destructive, system-wide operation.
Any user with a valid bearer token or API key can issue a write request to this endpoint. The attacker overwrites variables such as REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference through ${VAR} syntax in their compose files. When victim projects are next deployed, the substituted values come from the attacker-controlled .env.global file.
Root Cause
The root cause is a missing authorization check [CWE-862] on a privileged administrative endpoint. The route validates the session token but does not verify that the requesting principal holds the admin role. Multi-tenant trust boundaries are violated because a per-user authenticated context is allowed to mutate global system state.
Attack Vector
An attacker needs only a low-privileged Arcane account or a leaked API key. The attacker sends a single PUT request to the templates variables endpoint with a JSON payload that redefines critical variables. By setting REGISTRY to an attacker-controlled host, subsequent image pulls fetch malicious containers that execute on the Docker host. Alternatively, redefining DATABASE_URL reroutes application traffic to attacker infrastructure, exposing credentials and data.
The vulnerability is described in the GitHub Security Advisory GHSA-jpjh-jm2p-39hh.
Detection Methods for CVE-2026-47125
Indicators of Compromise
- Unexpected modifications to the .env.global file with timestamps that do not match administrator activity.
- HTTP PUT requests to /api/environments/{id}/templates/variables originating from non-admin user sessions or API keys.
- Docker image pulls referencing registries not present in the organization's approved registry allowlist.
- Container deployments where resolved ${VAR} values differ from previously deployed configurations.
Detection Strategies
- Audit Arcane application logs for calls to the templates variables endpoint and correlate the requesting user identity with admin role membership.
- Compare file integrity hashes of .env.global against a known-good baseline and alert on drift.
- Monitor Docker daemon events for image pull operations referencing unfamiliar registry hostnames.
Monitoring Recommendations
- Enable verbose audit logging on the Arcane API and forward events to a centralized log platform.
- Alert on any successful 2xx response to the /api/environments/{id}/templates/variables PUT endpoint.
- Track outbound network connections from Docker hosts to registries outside an approved allowlist.
How to Mitigate CVE-2026-47125
Immediate Actions Required
- Upgrade all Arcane instances to version 1.19.2 or later without delay.
- Rotate API keys and bearer tokens issued to non-admin users following the upgrade.
- Review the contents of .env.global and revert any unexpected modifications to known-good values.
- Rotate secrets such as DATABASE_URL and SECRET_KEY if tampering is suspected.
Patch Information
The vulnerability is fixed in Arcane version 1.19.2. The patch adds the missing admin authorization check on the PUT /api/environments/{id}/templates/variables endpoint. Refer to the GitHub Security Advisory for release details.
Workarounds
- Restrict network access to the Arcane API to trusted administrative networks only.
- Revoke API keys and disable non-admin user accounts until the upgrade is applied.
- Enforce a registry allowlist at the Docker daemon level to block pulls from unapproved registries.
# Upgrade Arcane to the patched release
docker pull ghcr.io/getarcaneapp/arcane:1.19.2
docker stop arcane && docker rm arcane
docker run -d --name arcane ghcr.io/getarcaneapp/arcane:1.19.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
