HIGH
getarcaneapp
CVE published 2026-05-09
CVE-2026-42461
CVE-2026-42461 describes a backend authorization gap in Arcane's template APIs. Before version 1.18.0, four GET endpoints under /api/templates* were registered without a Security requirement, so an unauthenticated network client could list and read the full Compose YAML and .env content for every custom template stored in an Arcane instance. The issue was patched in Arcane 1.18.0.