CVE-2026-47125

8.8 HIGH

Arcane is an interface for managing Docker containers, images, networks, and volumes

Published: 2026-05-29 · Last updated: 2026-05-29

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862

Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference via ${VAR} in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects. This vulnerability is fixed in 1.19.2.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-6964 — The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7 (5.3 MEDIUM)
CVE-2026-49775 — Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions (6.5 MEDIUM)
CVE-2026-49070 — Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions (7.5 HIGH)
CVE-2026-49065 — Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions (8.2 HIGH)
CVE-2026-48887 — Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions (6.5 MEDIUM)