CVE-2026-40242

nvd nist nuclei

Published: Apr 10, 2026Modified: Apr 21, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

Affected (1)

Products: Getarcane: Arcane

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Getarcane Arcane	Before 1.17.3

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/getarcaneapp/arcane/releases/tag/v1.17.3

Source: security-advisories@github.com

Release Notes

https://github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.