CVE-2026-40242

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.17.3

Description Arcane is an interface for managing Docker containers, images, networks, and volumes. The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. This constitutes an unauthenticated Server-Side Request Forgery (SSRF) vulnerability affecting any publicly reachable Arcane instance. The response handling can leak information such as the first byte of a non-JSON response, HTTP status codes, and TCP connection status (connection refused or i/o timeout).

Recommendations Update to version 1.17.3 or later.