Server-Side Request Forgery in Arcane Docker Management Interface
CVE-2026-40242

7.2HIGH

Key Information:

Vendor: Getarcaneapp
Status: Arcane
Vendor: CVE Published:; 10 April 2026

🔔 Create Getarcaneapp Vulnerability Alert

What is CVE-2026-40242?

The Arcane interface, utilized for managing Docker containers, images, networks, and volumes, is susceptible to a server-side request forgery (SSRF) vulnerability. Specifically, prior to version 1.17.3, the /api/templates/fetch endpoint permits the submission of a user-defined URL, which is subsequently accessed via a server-side HTTP GET request. This initiation occurs without the necessary authentication and lacks validation for the URL scheme or host. The server's response is then forwarded directly to the originating caller. Such a design flaw exposes any public-facing instance of Arcane to potential exploitation via SSRF attacks, allowing malicious actors to leverage the server's privileges to interact with internal resources without authorization.

Affected Version(s)

arcane < 1.17.3

References

https://github.com/getarcaneapp/arcane/security/advisorie...

x_refsource_CONFIRM

https://github.com/getarcaneapp/arcane/releases/tag/v1.17.3

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40242 Data

JSON