CVE-2026-23944
Unauthenticated Proxy Access in Arcane Enables Remote Resource Manipulation
Publication date: 2026-01-19
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | arcane | to 1.13.2 (exc) |
| arcane | arcane | to 1.13.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Arcane, an interface for managing Docker environments. Before version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing attackers to access remote environment resources without authentication. The middleware handling environment proxy requests would forward requests with a manager-held agent token even if the requester was unauthenticated, enabling unauthorized access to operations like listing containers or streaming logs on remote environments.
How can this vulnerability impact me? :
An unauthenticated attacker could exploit this vulnerability to access and manipulate remote environment resources. This could lead to data exposure, unauthorized changes to the environment, or disruption of services managed through Arcane.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Arcane to version 1.13.2 or later, as this version patches the vulnerability that allowed unauthenticated access to remote environment operations via the proxy.