How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated non-admin user to overwrite global environment variables that are used across all projects, potentially leading to the exfiltration of sensitive data such as database credentials and secret keys.

Such unauthorized access and potential data leakage could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and the prevention of unauthorized disclosure.

Additionally, the ability to redirect image pulls to attacker-controlled registries and cause supply-chain remote code execution could compromise system integrity and availability, further impacting compliance with standards that mandate secure and reliable system operations.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-47125 is a vulnerability in the Arcane application where the PUT /api/environments/{id}/templates/variables endpoint lacks proper admin authorization checks.

This endpoint writes to the system-wide .env.global file, which contains environment variables used across all projects.

Because of the missing admin check, any authenticated non-admin user can overwrite these global environment variables by calling the endpoint with their bearer token or API key.

This allows an attacker to modify critical variables like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY, which other users reference in their compose files.

By doing so, an attacker can redirect image pulls to attacker-controlled registries, leading to supply-chain remote code execution (RCE) on the Docker host, steal database credentials, or disrupt all projects by corrupting the global variables.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including confidentiality, integrity, and availability of your projects.

• An attacker can redirect Docker image pulls to malicious registries, enabling supply-chain remote code execution (RCE) on the Docker host.
• They can exfiltrate sensitive credentials such as database URLs and secret keys by overwriting environment variables.
• The attacker can disrupt all projects by corrupting the global environment variables file, causing widespread service disruption.

The vulnerability bypasses intended privilege boundaries, allowing non-admin users to perform admin-level actions, which increases the risk and impact.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring calls to the PUT /api/environments/{id}/templates/variables endpoint to check if any non-admin users are making requests to overwrite the .env.global file.

You can inspect API logs or network traffic for unauthorized usage of this endpoint by non-admin users.

Suggested commands include using curl or similar tools to test the endpoint with non-admin credentials to verify if the authorization check is missing.

• curl -X PUT -H "Authorization: Bearer <non-admin-token>" -d '{"variables": {"REGISTRY":"malicious.registry"}}' https://<arcane-host>/api/environments/<id>/templates/variables
• Review server logs for PUT requests to /api/environments/*/templates/variables from non-admin users.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Arcane to version 1.19.2 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict access to the PUT /api/environments/{id}/templates/variables endpoint to admin users only by implementing additional access controls or network restrictions.

Monitor and audit API usage to detect and block unauthorized attempts to modify the global environment variables.

Useful 0 Not Useful 0