https://feed.craftedsignal.io/products/arcane-backend--1.18.1/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 14:19:55 +0000https://feed.craftedsignal.io/briefs/2026-05-arcane-xss/Mon, 18 May 2026 14:19:55 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-arcane-xss/Arcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected XSS (CVE-2026-45627) via the SVG color parameter, allowing attackers to inject executable script content and compromise admin accounts by enticing them to visit a malicious link.Arcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected cross-site scripting (XSS) vulnerability via the color query parameter in the /api/app-images/logo endpoint. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application’s origin by crafting a malicious SVG image. Because the application lacks proper input validation, sanitization, and Content-Security-Policy (CSP) headers, an attacker can exploit this vulnerability to steal sensitive information such as admin JWT cookies, create new admin accounts, and gain full control over the Arcane Backend. The vulnerability is due to the direct use of user-controlled input within an SVG style tag without proper escaping.

Attack Chain

1. An attacker crafts a malicious URL targeting the /api/app-images/logo endpoint, embedding XSS payload within the color query parameter, such as color=red}</style><script>fetch('/api/users',...)</script><style>x{.
2. The victim, a logged-in administrator, is enticed to visit the malicious URL through phishing or other social engineering techniques.
3. The Arcane Backend processes the request without authentication, as the Security parameter is explicitly empty for this route.
4. The backend’s applyAccentColorToSVG function in backend/internal/services/app_images_service.go uses strings.ReplaceAll to inject the attacker-controlled color value into the logo.svg file.
5. The modified SVG image, containing the embedded XSS payload, is returned to the victim’s browser with the image/svg+xml Content-Type.
6. The victim’s browser executes the injected JavaScript code within the Arcane Backend’s origin due to the absence of CSP and X-Content-Type-Options headers.
7. The injected script steals the administrator’s __Host-token / token HttpOnly JWT cookie and uses it to make authenticated requests.
8. The attacker leverages the stolen cookie to create a new administrator account via POST /api/users, gaining persistent access to the Arcane Backend.

Impact

Successful exploitation allows a remote attacker to execute arbitrary JavaScript code in the context of a logged-in Arcane Backend administrator. This can lead to complete account compromise, including the ability to create persistent attacker-controlled admin accounts. Given that Arcane manages Docker daemons, container exec, image registries, and GitOps repositories, the attacker can also read/modify secrets stored in environments, registries, and Git repositories the admin can access, start or exec into containers on connected Docker hosts, leading to a full compromise of the Arcane infrastructure.

Recommendation

• Immediately upgrade to a patched version of Arcane Backend that addresses CVE-2026-45627.
• Deploy the Sigma rule Detect Arcane Backend CVE-2026-45627 XSS Attempt via App Images Logo to detect exploitation attempts targeting the vulnerable endpoint.
• Implement the following HTTP response headers on all responses, especially to /api/app-images/*: X-Content-Type-Options: nosniff and Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:.
• Serve static images with Content-Disposition: inline and from a separate cookie-less origin to mitigate potential same-origin session riding.
• Enforce a strict allowlist on the settings write path (SettingsService → AccentColor) to prevent stored XSS variants.

]]>highadvisoryxssreflected-xssgithubarcane-backendcve-2026-45627https://feed.craftedsignal.io/briefs/2026-05-arcane-git-repo-auth-bypass/Mon, 18 May 2026 13:45:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-arcane-git-repo-auth-bypass/Arcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.Arcane’s huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints never call the checkAdmin(ctx) helper used by other admin-managed resources, and the authentication middleware enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository’s URL to an attacker-controlled host while omitting the token/sshKey fields, the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker’s host, exfiltrating plaintext Git credentials. This affects Arcane versions 1.18.1 and earlier.

Attack Chain

1. The attacker authenticates to the Arcane backend using a normal user account, either through registration or a pre-existing account.
2. The attacker sends a GET request to /api/customize/git-repositories to enumerate all configured Git repositories, obtaining their IDs, URLs, and authentication types.
3. The attacker crafts a PUT request to /api/customize/git-repositories/{id} with a JSON payload containing the key url set to an attacker-controlled domain (e.g., https://attacker.tld/repo.git). The token or sshKey fields are intentionally omitted to preserve the existing encrypted credentials.
4. The Arcane backend updates the repository configuration, changing the repository URL while retaining the encrypted credentials.
5. The attacker sends a POST request to /api/customize/git-repositories/{id}/test to trigger a connection test, or alternatively triggers a GET request to .../branches or .../files to list branches or browse files.
6. Arcane decrypts the stored token or SSH key and attempts to authenticate to the attacker-controlled URL using HTTP Basic authentication or SSH key authentication.
7. The attacker’s server receives the decrypted credentials, which are exposed in cleartext.
8. Optionally, the attacker cleans up by sending another PUT request to restore the original URL or DELETE requests to all repos for DoS.

Impact

The vulnerability leads to cleartext exfiltration of stored Git credentials (PATs and SSH keys) configured by administrators for GitOps repositories. Stolen credentials grant write access to source repos, CI secrets, container registries, and production systems. Non-admin users can create, modify, and delete Git repository configurations, potentially injecting malicious code into deployments. An attacker can also trigger a denial of service by deleting repository configurations. Information disclosure of private repo contents is possible by listing files via the API. The default Arcane installations create new accounts with role user, making the attack easily exploitable. This has a critical impact on supply chain integrity and overall system security.

Recommendation

• Apply authorization checks on the /api/customize/git-repositories and /api/git-repositories/sync endpoints, ensuring that only admin users can manage Git repository configurations.
• Implement stricter validation and sanitization of input data, particularly the repository URL, to prevent redirection to malicious hosts.
• Deploy the Sigma rule “Detect Arcane Git Repository URL Manipulation” to identify attempts to modify Git repository URLs to attacker-controlled domains.
• Deploy the Sigma rule “Detect Arcane Git Repository Test Connection to External Domain” to detect attempts to test connections to external domains after a URL manipulation.
• Upgrade Arcane backend to a patched version beyond 1.18.1 that addresses CVE-2026-45625.

]]>criticaladvisorycredential-accessprivilege-escalationsupply-chain-compromisedenial-of-serviceinformation-disclosurecloudauthentication-bypass