PatchSiren cyber security CVE debrief

CVE-2026-45625 getarcaneapp CVE debrief

A critical authorization bypass in Arcane's GitOps repository management API allows any authenticated user to exfiltrate plaintext Git credentials. Eight administrative endpoints under `/api/customize/git-repositories` and `/api/git-repositories/sync` lack the `checkAdmin(ctx)` authorization check present on all other admin-managed resources. The huma authentication middleware enforces only authentication, not role-based access control. An attacker with default user privileges can modify an existing repository's URL to point to an attacker-controlled host while preserving the stored credentials. When Arcane subsequently calls `/test`, `/branches`, or `/files`, it decrypts and transmits the legitimate PAT or SSH key to the attacker's server via HTTP Basic authentication or SSH key authentication. This represents a one-step credential exfiltration with no user interaction required. The vulnerability affects all versions prior to 1.19.0.

Vendor: getarcaneapp
Product: arcane
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations using Arcane for Docker container management with GitOps integration; security teams responsible for secrets management and CI/CD pipeline security; DevOps engineers managing infrastructure-as-code deployments; compliance officers overseeing access control and privilege management frameworks

Technical summary

The Arcane container management platform's huma-based REST API contains an authorization bypass where eight Git repository management endpoints fail to enforce administrative role requirements. The `checkAdmin(ctx)` helper function, consistently applied to other admin resources (container registries, environments, users, API keys, swarm, settings, system, notifications, events), is absent from the list, create, get, update, delete, test, listBranches, and browseFiles endpoints. The huma middleware authenticates requests but does not validate the admin role. This architectural gap enables privilege escalation from default user to effective administrative control over GitOps configurations. The attack vector exploits the update endpoint's partial field update behavior: when the URL is modified without supplying token or sshKey fields, the existing encrypted credentials persist. Subsequent API calls that test connectivity or enumerate repository contents trigger Arcane to decrypt and transmit these credentials to the attacker-controlled URL. The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H reflects network exploitability, low attack complexity, low privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.

Defensive priority

CRITICAL

Recommended defensive actions

Upgrade Arcane to version 1.19.0 or later immediately
Audit Git repository configurations for unauthorized URL modifications
Rotate all Git personal access tokens and SSH keys configured in Arcane
Review access logs for unexpected calls to /api/customize/git-repositories/* or /api/git-repositories/sync/* endpoints
Implement network egress filtering to restrict Arcane's outbound connections to authorized Git hosts only
Enable comprehensive audit logging for Git repository configuration changes
Verify no unauthorized repository URLs were configured during the exposure window

Evidence notes

Authorization bypass confirmed by missing `checkAdmin(ctx)` calls on eight endpoints versus consistent enforcement on comparable resources. Credential exfiltration mechanism validated through repository URL redirection with preserved credential fields. Fix version 1.19.0 explicitly addresses the missing authorization checks.

Official resources

2026-05-29