CVE-2026-40242
Received Received - Intake

Unauthenticated SSRF in Arcane /api/templates/fetch Endpoint

Vulnerability report for CVE-2026-40242, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-10

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-10
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getarcane arcane to 1.17.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Arcane, an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.17.3, the /api/templates/fetch endpoint accepts a URL parameter from the caller and performs a server-side HTTP GET request to that URL without any authentication or validation of the URL's scheme or host.

Because the server returns the response directly to the caller, this creates an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. This means an attacker can make the server send HTTP requests to arbitrary URLs, potentially accessing internal or protected resources.

Impact Analysis

This SSRF vulnerability can allow an attacker to make the vulnerable Arcane server send HTTP requests to internal or external systems without authentication.

The impact includes potential unauthorized access to internal services, exposure of sensitive information, and possible manipulation of internal network resources.

The CVSS score of 7.2 indicates a high severity with low attack complexity, no privileges required, and no user interaction needed, making exploitation relatively easy and impactful.

Mitigation Strategies

To mitigate this vulnerability, upgrade Arcane to version 1.17.3 or later, where the SSRF issue in the /api/templates/fetch endpoint has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart