DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40242: CVE-2026-40242: Unauthenticated Server-Side Request Forgery in Arcane Template Fetch Mechanism

#security #cve #cybersecurity

CVE-2026-40242: Unauthenticated Server-Side Request Forgery in Arcane Template Fetch Mechanism

Vulnerability ID: CVE-2026-40242
CVSS Score: 7.2
Published: 2026-04-10

Arcane, a web-based interface for managing Docker environments, contains a high-severity unauthenticated Server-Side Request Forgery (SSRF) vulnerability. Prior to version 1.17.3, the application exposed the /api/templates/fetch endpoint without authentication, allowing remote attackers to force the server to perform outbound HTTP GET requests to arbitrary destinations. The vulnerability exposes internal network services, cloud provider metadata endpoints, and internal application states through robust error-based side-channels and direct response reflection.

TL;DR

Arcane versions prior to 1.17.3 are vulnerable to unauthenticated SSRF via the /api/templates/fetch endpoint. Attackers can leverage this to scan internal networks, access cloud metadata, and extract internal service data due to poor input validation and verbose error reflection.

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 7.2 (High)
  • Impact: Server-Side Request Forgery / Info Disclosure
  • Exploit Status: Unweaponized / Proof-of-Concept
  • CISA KEV: Not Listed

Affected Systems

  • Arcane < 1.17.3
  • Arcane: < 1.17.3 (Fixed in: 1.17.3)

Code Analysis

Commit: 8e67b3b

Implemented SafeOutboundHTTPClient and required authentication on template fetch endpoint.

Mitigation Strategies

  • Upgrade to Arcane version 1.17.3 or later to receive the patched SafeOutboundHTTPClient implementation.
  • Restrict network access to the Arcane application interface using external firewalls or identity-aware proxies.
  • Implement network egress filtering on the host running Arcane to block access to cloud metadata services (169.254.169.254) unless explicitly required.
  • Utilize Web Application Firewall (WAF) rules to detect and block anomalous url parameters containing internal IP addresses or localhost references.

Remediation Steps:

  1. Determine the current version of the Arcane application running in the environment.
  2. Pull the latest Arcane Docker image or binary corresponding to version 1.17.3.
  3. Deploy the updated version and verify that the /api/templates/fetch endpoint returns a 401 Unauthorized status for unauthenticated requests.
  4. Review application logs for historical unauthorized access to the /api/templates/fetch endpoint to identify potential prior exploitation.

References

Read the full report for CVE-2026-40242 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)