Can you explain this vulnerability to me?

This vulnerability in Arcane versions prior to 1.18.0 involves four GET endpoints under /api/templates* in the backend that lack any security requirements. This means any unauthenticated network client can access and read the full Compose YAML and .env content of every custom template stored in the instance.

Because Arcane's UI allows operators to save real environment variables such as database passwords and API keys verbatim as templates, this missing authorization results in an unauthenticated read of sensitive operator secrets. The frontend treats these endpoints as protected and requires authentication for other operations, so this is an unintended backend authorization gap.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated access to sensitive operator secrets such as database passwords and API keys stored in custom templates. Exposure of such sensitive information can lead to unauthorized data access and potential data breaches.

Because the vulnerability results in unauthorized disclosure of confidential credentials and environment variables, it can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection of personal and confidential information.

The flaw represents a backend authorization gap that bypasses intended authentication controls, increasing the risk of data exposure and non-compliance with security requirements mandated by these regulations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive information such as database passwords, API keys, and other environment secrets stored in custom templates. An attacker can access these secrets without authentication, potentially compromising the security of your systems.

Additionally, the exposed data includes internal asset enumeration, revealing details about services and compose files used by your team, which could aid further attacks or reconnaissance.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the vulnerable GET endpoints under /api/templates* on the Arcane backend without authentication. Specifically, sending unauthenticated GET requests to endpoints such as /templates, /templates/all, /templates/{id}, and /templates/{id}/content can reveal whether sensitive Compose YAML and .env content is exposed.

You can use commands like curl to test these endpoints for unauthorized access. For example:

• curl -v http://<arcane-instance>/api/templates
• curl -v http://<arcane-instance>/api/templates/all
• curl -v http://<arcane-instance>/api/templates/{id}
• curl -v http://<arcane-instance>/api/templates/{id}/content

If these requests return Compose YAML or .env content without requiring authentication, the system is vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Arcane application to version 1.18.0 or later, where this vulnerability has been patched by adding proper authorization checks to the affected endpoints.

Until the upgrade can be performed, restrict network access to the Arcane backend API endpoints, especially the /api/templates* paths, to trusted and authenticated users only.

Additionally, review and rotate any potentially exposed secrets such as database passwords and API keys that may have been leaked due to this vulnerability.

Useful 0 Not Useful 0