Arcane is a Docker management interface. Prior to version 1.19.4, the application fails to validate path-traversal sequences in Docker Compose include directives before returning file contents through the ProjectService.GetProjectFileContent API. An authenticated attacker can create a project with a malicious compose file containing an include directive referencing arbitrary filesystem paths (e.g., ../../ [truncated]
A missing authorization check in Arcane's environment variable management API allows any authenticated user to overwrite system-wide global environment variables. The PUT /api/environments/{id}/templates/variables endpoint, which writes the .env.global file used for variable substitution across all project deployments, fails to verify admin privileges. This enables non-admin attackers to manipulate variab [truncated]
Arcane versions prior to 1.19.0 contain a reflected cross-site scripting (XSS) vulnerability in the unauthenticated GET /api/app-images/logo endpoint. The endpoint accepts a user-supplied color query parameter and reflects it into an SVG document's <style> element using strings.ReplaceAll without proper escaping. An attacker can close the style block and inject executable <script> content. The response is [truncated]
Arcane versions 1.18.1 and earlier contain a command injection vulnerability in the volume browsing endpoint. The GET /environments/{id}/volumes/{volumeName}/browse endpoint accepts a path query parameter that is passed unsafely into a shell command executed within an Arcane helper container. While the application implements path traversal protection by blocking ../ sequences, the sanitization fails to ne [truncated]
A critical authorization bypass in Arcane's GitOps repository management API allows any authenticated user to exfiltrate plaintext Git credentials. Eight administrative endpoints under `/api/customize/git-repositories` and `/api/git-repositories/sync` lack the `checkAdmin(ctx)` authorization check present on all other admin-managed resources. The huma authentication middleware enforces only authentication [truncated]
CVE-2026-42461 describes a backend authorization gap in Arcane's template APIs. Before version 1.18.0, four GET endpoints under /api/templates* were registered without a Security requirement, so an unauthenticated network client could list and read the full Compose YAML and .env content for every custom template stored in an Arcane instance. The issue was patched in Arcane 1.18.0.