CVE-2026-23944
Unknown Unknown - Not Provided
Unauthenticated Proxy Access in Arcane Enables Remote Resource Manipulation

Publication date: 2026-01-19

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23944
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor arcane to 1.13.2 (exc)
arcane arcane to 1.13.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Arcane, an interface for managing Docker environments. Before version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing attackers to access remote environment resources without authentication. The middleware handling environment proxy requests would forward requests with a manager-held agent token even if the requester was unauthenticated, enabling unauthorized access to operations like listing containers or streaming logs on remote environments.

Impact Analysis

An unauthenticated attacker could exploit this vulnerability to access and manipulate remote environment resources. This could lead to data exposure, unauthorized changes to the environment, or disruption of services managed through Arcane.

Mitigation Strategies

Upgrade Arcane to version 1.13.2 or later, as this version patches the vulnerability that allowed unauthenticated access to remote environment operations via the proxy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart