Admin Authorization Bypass in Arcane for Docker Management
CVE-2026-47125

8.8HIGH

Key Information:

Vendor

Getarcaneapp

Status
Arcane
Vendor
CVE Published:
29 May 2026

What is CVE-2026-47125?

The Arcane interface for Docker management has a vulnerability in its API endpoint, allowing authenticated non-admin users to update critical global environment variables. This oversight permits an attacker to manipulate essential configurations, leading to potential disruptions in project deployments or unauthorized data access. The flaw, which was rectified in version 1.19.2, could allow attackers to redirect Docker image pulls to malicious registries, compromising the integrity of software supply chains and risking exposure of sensitive data such as database credentials.

Affected Version(s)

arcane < 1.19.2

References

https://github.com/getarcaneapp/arcane/security/advisorie...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.