CVE-2026-45625
Deferred Deferred - Pending Action
Unauthenticated Git Credential Exfiltration in Arcane

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker's host β€” producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45625
EUVD
EUVD-2026-33373
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getarcaneapp arcane to 1.19.0 (exc)
getarcaneapp arcane 1.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45625 is a critical vulnerability in the Arcane application (versions up to 1.18.1) that allows non-admin users to access and exfiltrate stored Git credentials and tamper with GitOps configurations.

The issue arises because eight out of nine API endpoints for managing Git repositories do not enforce admin authorization, only requiring user authentication. This means any logged-in user with the default user role can list, create, modify, delete, and test Git repository configurations.

An attacker can exploit this by changing a repository's URL to point to an attacker-controlled host while omitting authentication tokens or SSH keys. When Arcane tries to connect to this host, it decrypts and sends the legitimate Git credentials in plaintext to the attacker, enabling credential theft.

Impact Analysis

This vulnerability can have severe impacts including the exfiltration of sensitive Git credentials such as Personal Access Tokens (PATs) or SSH keys, which often provide write access to source code repositories.

An attacker with these credentials can tamper with GitOps configurations by creating, modifying, or deleting repositories, potentially injecting malicious code or disrupting operations.

Additionally, the attacker can cause denial-of-service conditions by deleting critical configurations, impacting the availability and integrity of your systems.

The attack requires only a low-privilege user account, making it easier for attackers to exploit in default installations.

Detection Guidance

This vulnerability can be detected by monitoring API calls to the Arcane application, specifically requests to the endpoints under /api/customize/git-repositories and /api/git-repositories/sync. Suspicious activity includes non-admin users accessing or modifying Git repository configurations.

Commands to detect exploitation attempts might include inspecting logs for HTTP requests to these endpoints and checking for unusual repository URL changes pointing to unknown or attacker-controlled hosts.

  • Use network monitoring tools to capture HTTP requests to /api/customize/git-repositories and /api/git-repositories/sync endpoints.
  • Check Arcane application logs for API calls made by users with default 'user' roles to these endpoints.
  • Look for repository URL updates that redirect to suspicious or external hosts.
Mitigation Strategies

The immediate mitigation step is to upgrade the Arcane application to version 1.19.0 or later, where the vulnerability is fixed by enforcing admin authorization checks on the affected API endpoints.

Until the upgrade can be applied, restrict access to the vulnerable API endpoints to trusted admin users only, and monitor for suspicious activity from non-admin users.

  • Upgrade Arcane to version 1.19.0 or later.
  • Restrict API endpoint access to admin users.
  • Monitor logs and network traffic for unauthorized access or suspicious repository URL changes.
Compliance Impact

This vulnerability allows low-privilege users to exfiltrate plaintext Git credentials, including Personal Access Tokens and SSH keys, which can grant unauthorized access to source repositories and downstream systems.

Such unauthorized access and exfiltration of sensitive credentials can lead to breaches of confidentiality, integrity, and availability of data and systems.

Consequently, organizations using vulnerable versions of Arcane may face challenges in complying with standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and require protection against unauthorized disclosure.

The vulnerability's critical severity (CVSS 9.9) underscores the high risk of data compromise, which could result in regulatory non-compliance, potential data breaches, and associated legal and financial penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart