CVE-2026-23944

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.13.2

Description Arcane, an interface for managing Docker containers, images, networks, and volumes, had a flaw where unauthenticated requests could be forwarded to remote environment agents, granting access to remote environment resources without proper authentication. The environment proxy middleware processed requests for remote environments via the /api/environments/{id}/... API endpoint before authentication was applied. Specifically, when the environment ID (id) was not local, the middleware forwarded the request, attaching the manager-held agent token, even without caller authentication. This allowed an unauthenticated attacker to access and manipulate remote environment resources through the proxy, potentially resulting in data exposure, unauthorized modifications, or service disruption.

Recommendations Update to version 1.13.2 or later.