PatchSiren cyber security CVE debrief
CVE-2026-47125 getarcaneapp CVE debrief
A missing authorization check in Arcane's environment variable management API allows any authenticated user to overwrite system-wide global environment variables. The PUT /api/environments/{id}/templates/variables endpoint, which writes the .env.global file used for variable substitution across all project deployments, fails to verify admin privileges. This enables non-admin attackers to manipulate variables referenced in Docker Compose files—such as REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY—to redirect image pulls to attacker-controlled registries, exfiltrate database credentials, or disrupt all projects on the host. The vulnerability carries supply-chain remote code execution implications through compromised container images.
- Vendor
- getarcaneapp
- Product
- arcane
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Arcane container management platform versions prior to 1.19.2; security teams responsible for Docker infrastructure and supply-chain security; DevOps engineers managing multi-tenant container deployments; compliance teams tracking authorization control failures in container orchestration platforms.
Technical summary
Arcane versions prior to 1.19.2 contain a missing authorization vulnerability (CWE-862) in the PUT /api/environments/{id}/templates/variables endpoint. This endpoint writes the system-wide .env.global file without verifying admin privileges, allowing any authenticated user to overwrite global environment variables. These variables are merged into every project's compose file deployment, enabling attackers to manipulate REGISTRY, IMAGE, DATABASE_URL, SECRET_KEY, and similar variables. Consequences include redirecting image pulls to malicious registries (supply-chain RCE), credential exfiltration, and widespread project disruption. The vulnerability requires network access and valid authentication but no administrative privileges or user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Arcane to version 1.19.2 or later to remediate the missing authorization check.
- Audit .env.global file contents and deployment logs for unauthorized modifications between initial deployment and patch application.
- Review and rotate any credentials stored in global environment variables that may have been exposed through variable tampering.
- Implement network segmentation to restrict access to Arcane's administrative API endpoints to trusted administrative hosts only.
- Enable comprehensive audit logging for all PUT requests to /api/environments/{id}/templates/variables and related template endpoints.
- Verify that container image pull sources match expected registries; re-pull and verify image signatures for any deployments active during the exposure window.
- Review Docker Compose files across all projects for variables sourced from .env.global that could enable supply-chain attacks if manipulated.
Evidence notes
CVE published 2026-05-29T18:17:12.347Z; modified 2026-05-29T20:25:00.760Z. Advisory references GitHub Security Advisory GHSA-jpjh-jm2p-39hh. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-862 (Missing Authorization). Fixed in Arcane 1.19.2.
Official resources
-
CVE-2026-47125 CVE record
CVE.org
-
CVE-2026-47125 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29