CVE-2026-45625
Unauthenticated Git Credential Exfiltration in Arcane
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getarcaneapp | arcane | to 1.19.0 (exc) |
| getarcaneapp | arcane | 1.19.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows low-privilege users to exfiltrate plaintext Git credentials, including Personal Access Tokens and SSH keys, which can grant unauthorized access to source repositories and downstream systems.
Such unauthorized access and exfiltration of sensitive credentials can lead to breaches of confidentiality, integrity, and availability of data and systems.
Consequently, organizations using vulnerable versions of Arcane may face challenges in complying with standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and require protection against unauthorized disclosure.
The vulnerability's critical severity (CVSS 9.9) underscores the high risk of data compromise, which could result in regulatory non-compliance, potential data breaches, and associated legal and financial penalties.
Can you explain this vulnerability to me?
CVE-2026-45625 is a critical vulnerability in the Arcane application (versions up to 1.18.1) that allows non-admin users to access and exfiltrate stored Git credentials and tamper with GitOps configurations.
The issue arises because eight out of nine API endpoints for managing Git repositories do not enforce admin authorization, only requiring user authentication. This means any logged-in user with the default user role can list, create, modify, delete, and test Git repository configurations.
An attacker can exploit this by changing a repository's URL to point to an attacker-controlled host while omitting authentication tokens or SSH keys. When Arcane tries to connect to this host, it decrypts and sends the legitimate Git credentials in plaintext to the attacker, enabling credential theft.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the exfiltration of sensitive Git credentials such as Personal Access Tokens (PATs) or SSH keys, which often provide write access to source code repositories.
An attacker with these credentials can tamper with GitOps configurations by creating, modifying, or deleting repositories, potentially injecting malicious code or disrupting operations.
Additionally, the attacker can cause denial-of-service conditions by deleting critical configurations, impacting the availability and integrity of your systems.
The attack requires only a low-privilege user account, making it easier for attackers to exploit in default installations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API calls to the Arcane application, specifically requests to the endpoints under /api/customize/git-repositories and /api/git-repositories/sync. Suspicious activity includes non-admin users accessing or modifying Git repository configurations.
Commands to detect exploitation attempts might include inspecting logs for HTTP requests to these endpoints and checking for unusual repository URL changes pointing to unknown or attacker-controlled hosts.
- Use network monitoring tools to capture HTTP requests to /api/customize/git-repositories and /api/git-repositories/sync endpoints.
- Check Arcane application logs for API calls made by users with default 'user' roles to these endpoints.
- Look for repository URL updates that redirect to suspicious or external hosts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Arcane application to version 1.19.0 or later, where the vulnerability is fixed by enforcing admin authorization checks on the affected API endpoints.
Until the upgrade can be applied, restrict access to the vulnerable API endpoints to trusted admin users only, and monitor for suspicious activity from non-admin users.
- Upgrade Arcane to version 1.19.0 or later.
- Restrict API endpoint access to admin users.
- Monitor logs and network traffic for unauthorized access or suspicious repository URL changes.