High severity7.2NVD Advisory· Published Apr 10, 2026· Updated Apr 21, 2026

CVE-2026-40242

Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/getarcaneapp/arcane/backendGo	< 1.17.3	1.17.3

Affected products

Getarcane/Arcane
cpe:2.3:a:getarcane:arcane:*:*:*:*:*:*:*:*
Range: <1.17.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmjnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-ff24-4prj-gpmjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40242ghsaADVISORY
github.com/getarcaneapp/arcane/releases/tag/v1.17.3nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000