PT-2026-42873 · Arcane · Arcane
Offset
·
Published
2026-05-23
·
Updated
2026-06-25
·
CVE-2026-47125
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Arcane versions prior to 1.19.2
Description
The "PUT /api/environments/{id}/templates/variables" endpoint, used to write the system-wide
.env.global file for variable substitution in project compose files, lacks an admin authorization check. Any authenticated non-admin user can use their bearer token or API key to overwrite global environment variables merged into every project deployment. By manipulating variables such as REGISTRY, IMAGE, DATABASE URL, or SECRET KEY, an attacker can redirect image pulls to malicious registries, leading to supply-chain remote code execution (RCE) on the Docker host, exfiltrate database credentials, or disrupt all projects. Additionally, the UpdateGlobalVariables() function does not properly sanitize newlines in keys, allowing arbitrary key injection into the .env.global file.Recommendations
Update to version 1.19.2.
As a temporary workaround, restrict access to the "PUT /api/environments/{id}/templates/variables" endpoint to authorized administrators only.
Exploit
Fix
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Arcane