{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcane-before-1.18.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Arcane (before 1.18.0)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","vulnerability","arcane"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eArcane versions prior to 1.18.0 are susceptible to an unauthenticated information disclosure vulnerability. The vulnerability stems from four \u003ccode\u003eGET\u003c/code\u003e endpoints under the \u003ccode\u003e/api/templates*\u003c/code\u003e path in Arcane\u0026rsquo;s Huma backend that lack any security requirements. This design flaw allows any unauthenticated network client to list and read the full Compose YAML and \u003ccode\u003e.env\u003c/code\u003e content of every custom template stored in the instance. This includes sensitive information such as database passwords, API keys, and other secrets stored verbatim from the operator\u0026rsquo;s environment variables due to the \u0026ldquo;Save as Template\u0026rdquo; workflow on project creation pages. This vulnerability poses a significant risk of exposing critical infrastructure secrets and internal service details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Arcane instance running a version prior to 1.18.0.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/templates\u003c/code\u003e to enumerate available templates, revealing names, descriptions, and tags.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/templates/{id}/content\u003c/code\u003e to retrieve the content of a specific template.\u003c/li\u003e\n\u003cli\u003eThe Arcane backend processes the request without authentication, due to missing security requirements on these endpoints.\u003c/li\u003e\n\u003cli\u003eThe backend retrieves the requested template content, including the \u003ccode\u003eContent\u003c/code\u003e and \u003ccode\u003eEnvContent\u003c/code\u003e fields from the database.\u003c/li\u003e\n\u003cli\u003eThe backend returns the template content to the attacker, including sensitive environment variables stored in plain text within the \u003ccode\u003eEnvContent\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, such as database passwords, API keys, and registry tokens, from the \u003ccode\u003eEnvContent\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed credentials to gain unauthorized access to internal systems and services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to access sensitive information stored within Arcane templates. This includes database passwords, API keys, and other secrets, potentially leading to unauthorized access to critical systems and data. The enumeration of templates also reveals internal services and infrastructure details, aiding further reconnaissance. This vulnerability affects any Arcane instance running a version prior to 1.18.0 where operators have stored sensitive information in custom Compose templates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Arcane to version 1.18.0 or later to patch the vulnerability (CVE-2026-42461).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious access to the template content endpoints.\u003c/li\u003e\n\u003cli\u003eReview existing templates for sensitive information and rotate any exposed credentials immediately.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the Arcane instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-arcane-template-disclosure/","summary":"Arcane versions before 1.18.0 are vulnerable to an unauthenticated information disclosure on four GET endpoints under `/api/templates*`, allowing unauthorized access to Compose YAML and `.env` content including sensitive secrets.","title":"Arcane Unauthenticated Compose Template Content Disclosure","url":"https://feed.craftedsignal.io/briefs/2024-01-arcane-template-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Arcane (Before 1.18.0)","version":"https://jsonfeed.org/version/1.1"}