{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcane-backend--1.18.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Arcane Backend (\u003c= 1.18.1)","github.com/getarcaneapp/arcane/backend"],"_cs_severities":["high"],"_cs_tags":["xss","reflected-xss","github","arcane-backend","cve-2026-45627"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eArcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected cross-site scripting (XSS) vulnerability via the \u003ccode\u003ecolor\u003c/code\u003e query parameter in the \u003ccode\u003e/api/app-images/logo\u003c/code\u003e endpoint. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application\u0026rsquo;s origin by crafting a malicious SVG image. Because the application lacks proper input validation, sanitization, and Content-Security-Policy (CSP) headers, an attacker can exploit this vulnerability to steal sensitive information such as admin JWT cookies, create new admin accounts, and gain full control over the Arcane Backend. The vulnerability is due to the direct use of user-controlled input within an SVG style tag without proper escaping.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting the \u003ccode\u003e/api/app-images/logo\u003c/code\u003e endpoint, embedding XSS payload within the \u003ccode\u003ecolor\u003c/code\u003e query parameter, such as \u003ccode\u003ecolor=red}\u0026lt;/style\u0026gt;\u0026lt;script\u0026gt;fetch('/api/users',...)\u0026lt;/script\u0026gt;\u0026lt;style\u0026gt;x{\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim, a logged-in administrator, is enticed to visit the malicious URL through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe Arcane Backend processes the request without authentication, as the \u003ccode\u003eSecurity\u003c/code\u003e parameter is explicitly empty for this route.\u003c/li\u003e\n\u003cli\u003eThe backend\u0026rsquo;s \u003ccode\u003eapplyAccentColorToSVG\u003c/code\u003e function in \u003ccode\u003ebackend/internal/services/app_images_service.go\u003c/code\u003e uses \u003ccode\u003estrings.ReplaceAll\u003c/code\u003e to inject the attacker-controlled \u003ccode\u003ecolor\u003c/code\u003e value into the \u003ccode\u003elogo.svg\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe modified SVG image, containing the embedded XSS payload, is returned to the victim\u0026rsquo;s browser with the \u003ccode\u003eimage/svg+xml\u003c/code\u003e Content-Type.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code within the Arcane Backend\u0026rsquo;s origin due to the absence of CSP and \u003ccode\u003eX-Content-Type-Options\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe injected script steals the administrator\u0026rsquo;s \u003ccode\u003e__Host-token\u003c/code\u003e / \u003ccode\u003etoken\u003c/code\u003e HttpOnly JWT cookie and uses it to make authenticated requests.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen cookie to create a new administrator account via \u003ccode\u003ePOST /api/users\u003c/code\u003e, gaining persistent access to the Arcane Backend.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a remote attacker to execute arbitrary JavaScript code in the context of a logged-in Arcane Backend administrator. This can lead to complete account compromise, including the ability to create persistent attacker-controlled admin accounts. Given that Arcane manages Docker daemons, container exec, image registries, and GitOps repositories, the attacker can also read/modify secrets stored in environments, registries, and Git repositories the admin can access, start or exec into containers on connected Docker hosts, leading to a full compromise of the Arcane infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to a patched version of Arcane Backend that addresses CVE-2026-45627.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Arcane Backend CVE-2026-45627 XSS Attempt via App Images Logo\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement the following HTTP response headers on all responses, especially to \u003ccode\u003e/api/app-images/*\u003c/code\u003e: \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and \u003ccode\u003eContent-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eServe static images with \u003ccode\u003eContent-Disposition: inline\u003c/code\u003e and from a separate cookie-less origin to mitigate potential same-origin session riding.\u003c/li\u003e\n\u003cli\u003eEnforce a strict allowlist on the settings write path (\u003ccode\u003eSettingsService\u003c/code\u003e → \u003ccode\u003eAccentColor\u003c/code\u003e) to prevent stored XSS variants.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T14:19:55Z","date_published":"2026-05-18T14:19:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-arcane-xss/","summary":"Arcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected XSS (CVE-2026-45627) via the SVG color parameter, allowing attackers to inject executable script content and compromise admin accounts by enticing them to visit a malicious link.","title":"Arcane Backend Unauthenticated Reflected XSS via SVG Color Parameter Enables Admin Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-arcane-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcane backend (\u003c= 1.18.1)","github.com","gitlab.com"],"_cs_severities":["critical"],"_cs_tags":["credential-access","privilege-escalation","supply-chain-compromise","denial-of-service","information-disclosure","cloud","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["GitHub","GitLab"],"content_html":"\u003cp\u003eArcane\u0026rsquo;s huma-based REST API exposes nine endpoints under \u003ccode\u003e/api/customize/git-repositories\u003c/code\u003e and \u003ccode\u003e/api/git-repositories/sync\u003c/code\u003e for managing GitOps source repositories and their stored credentials. Eight of those endpoints never call the \u003ccode\u003echeckAdmin(ctx)\u003c/code\u003e helper used by other admin-managed resources, and the authentication middleware enforces only authentication, not the \u003ccode\u003eadmin\u003c/code\u003e role. As a result, any logged-in user with the default \u003ccode\u003euser\u003c/code\u003e role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository\u0026rsquo;s URL to an attacker-controlled host while omitting the \u003ccode\u003etoken\u003c/code\u003e/\u003ccode\u003esshKey\u003c/code\u003e fields, the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next \u003ccode\u003e/test\u003c/code\u003e, \u003ccode\u003e/branches\u003c/code\u003e, or \u003ccode\u003e/files\u003c/code\u003e call and present it as HTTP Basic auth (or SSH key auth) to the attacker\u0026rsquo;s host, exfiltrating plaintext Git credentials. This affects Arcane versions 1.18.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Arcane backend using a normal \u003ccode\u003euser\u003c/code\u003e account, either through registration or a pre-existing account.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/customize/git-repositories\u003c/code\u003e to enumerate all configured Git repositories, obtaining their IDs, URLs, and authentication types.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to \u003ccode\u003e/api/customize/git-repositories/{id}\u003c/code\u003e with a JSON payload containing the key \u003ccode\u003eurl\u003c/code\u003e set to an attacker-controlled domain (e.g., \u003ccode\u003ehttps://attacker.tld/repo.git\u003c/code\u003e). The \u003ccode\u003etoken\u003c/code\u003e or \u003ccode\u003esshKey\u003c/code\u003e fields are intentionally omitted to preserve the existing encrypted credentials.\u003c/li\u003e\n\u003cli\u003eThe Arcane backend updates the repository configuration, changing the repository URL while retaining the encrypted credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/customize/git-repositories/{id}/test\u003c/code\u003e to trigger a connection test, or alternatively triggers a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e.../branches\u003c/code\u003e or \u003ccode\u003e.../files\u003c/code\u003e to list branches or browse files.\u003c/li\u003e\n\u003cli\u003eArcane decrypts the stored token or SSH key and attempts to authenticate to the attacker-controlled URL using HTTP Basic authentication or SSH key authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the decrypted credentials, which are exposed in cleartext.\u003c/li\u003e\n\u003cli\u003eOptionally, the attacker cleans up by sending another \u003ccode\u003ePUT\u003c/code\u003e request to restore the original URL or \u003ccode\u003eDELETE\u003c/code\u003e requests to all repos for DoS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to cleartext exfiltration of stored Git credentials (PATs and SSH keys) configured by administrators for GitOps repositories. Stolen credentials grant write access to source repos, CI secrets, container registries, and production systems. Non-admin users can create, modify, and delete Git repository configurations, potentially injecting malicious code into deployments. An attacker can also trigger a denial of service by deleting repository configurations. Information disclosure of private repo contents is possible by listing files via the API. The default Arcane installations create new accounts with role \u003ccode\u003euser\u003c/code\u003e, making the attack easily exploitable. This has a critical impact on supply chain integrity and overall system security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply authorization checks on the \u003ccode\u003e/api/customize/git-repositories\u003c/code\u003e and \u003ccode\u003e/api/git-repositories/sync\u003c/code\u003e endpoints, ensuring that only admin users can manage Git repository configurations.\u003c/li\u003e\n\u003cli\u003eImplement stricter validation and sanitization of input data, particularly the repository URL, to prevent redirection to malicious hosts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Arcane Git Repository URL Manipulation\u0026rdquo; to identify attempts to modify Git repository URLs to attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Arcane Git Repository Test Connection to External Domain\u0026rdquo; to detect attempts to test connections to external domains after a URL manipulation.\u003c/li\u003e\n\u003cli\u003eUpgrade Arcane backend to a patched version beyond 1.18.1 that addresses CVE-2026-45625.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:45:14Z","date_published":"2026-05-18T13:45:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-arcane-git-repo-auth-bypass/","summary":"Arcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.","title":"Arcane Git Repository Authentication Bypass Leads to Credential Exfiltration and GitOps Tampering (CVE-2026-45625)","url":"https://feed.craftedsignal.io/briefs/2026-05-arcane-git-repo-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Arcane Backend (\u003c= 1.18.1)","version":"https://jsonfeed.org/version/1.1"}