CVE-2026-42461

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.18.0

Description Four 'GET' endpoints under "/api/templates*" in the Huma backend are registered without security requirements. This authorization gap allows any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because the user interface persists real environment content—such as database passwords and API keys—verbatim during the "Save as Template" flow, this allows for the unauthenticated read of operator secrets. The affected endpoints include "/templates", "/templates/all", "/templates/{id}", and "/templates/{id}/content".

Recommendations Update to version 1.18.0.