PT-2026-42873 · Arcane · Arcane

Offset

·

Published

2026-05-23

·

Updated

2026-06-25

·

CVE-2026-47125

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.2
Description The "PUT /api/environments/{id}/templates/variables" endpoint, used to write the system-wide .env.global file for variable substitution in project compose files, lacks an admin authorization check. Any authenticated non-admin user can use their bearer token or API key to overwrite global environment variables merged into every project deployment. By manipulating variables such as REGISTRY, IMAGE, DATABASE URL, or SECRET KEY, an attacker can redirect image pulls to malicious registries, leading to supply-chain remote code execution (RCE) on the Docker host, exfiltrate database credentials, or disrupt all projects. Additionally, the UpdateGlobalVariables() function does not properly sanitize newlines in keys, allowing arbitrary key injection into the .env.global file.
Recommendations Update to version 1.19.2. As a temporary workaround, restrict access to the "PUT /api/environments/{id}/templates/variables" endpoint to authorized administrators only.

Exploit

Fix

RCE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47125
GHSA-JPJH-JM2P-39HH
GO-2026-5476

Affected Products

Arcane