{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcane/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Arcane"],"_cs_severities":["high"],"_cs_tags":["arcane","authorization-bypass","rce","credential-theft","supply-chain"],"_cs_type":"advisory","_cs_vendors":["github"],"content_html":"\u003cp\u003eThe Arcane application, specifically versions 1.19.1 and earlier, contains a critical vulnerability related to the \u003ccode\u003ePUT /api/environments/{id}/templates/variables\u003c/code\u003e endpoint. This endpoint, which writes the system-wide \u003ccode\u003e.env.global\u003c/code\u003e file used for variable substitution in every project's compose file, lacks an admin authorization check. Consequently, any authenticated non-admin user can exploit this flaw by calling the endpoint with their bearer token or API key, effectively overwriting global environment variables that are merged into every project deployment. This oversight can be leveraged to compromise the entire Arcane instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Arcane application as a non-admin user, obtaining a valid bearer token or API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/environments/{id}/templates/variables\u003c/code\u003e endpoint, with a malicious payload in the request body containing environment variables to overwrite.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious values for critical variables such as \u003ccode\u003eREGISTRY\u003c/code\u003e, \u003ccode\u003eIMAGE\u003c/code\u003e, \u003ccode\u003eDATABASE_URL\u003c/code\u003e, or \u003ccode\u003eSECRET_KEY\u003c/code\u003e. The \u003ccode\u003ekey\u003c/code\u003e field can contain embedded newlines to inject arbitrary keys.\u003c/li\u003e\n\u003cli\u003eThe Arcane backend processes the request through the \u003ccode\u003eUpdateGlobalVariables\u003c/code\u003e handler in \u003ccode\u003etemplates.go\u003c/code\u003e, which fails to perform an admin role check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUpdateGlobalVariables\u003c/code\u003e function in \u003ccode\u003etemplate_service.go\u003c/code\u003e writes the attacker-supplied key-value pairs to the \u003ccode\u003e\u0026lt;projectsDirectory\u0026gt;/.env.global\u003c/code\u003e file, without proper sanitization or validation of the key field.\u003c/li\u003e\n\u003cli\u003eAt deploy time, when any project loads its environment variables, the \u003ccode\u003eloadAndMergeGlobalEnv\u003c/code\u003e function in \u003ccode\u003eenv.go\u003c/code\u003e reads and merges the attacker-modified \u003ccode\u003e.env.global\u003c/code\u003e file into the project's environment.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eREGISTRY\u003c/code\u003e or \u003ccode\u003eIMAGE\u003c/code\u003e were modified, subsequent deployments will pull attacker-controlled images from a malicious registry, resulting in arbitrary code execution on the Docker host.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eDATABASE_URL\u003c/code\u003e or other sensitive connection strings were modified, applications will connect to attacker-controlled servers, allowing for credential theft and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a non-admin user to achieve several critical impacts: cross-project supply-chain RCE on the Docker host, credential theft from other users' projects, cross-tenant integrity compromise leading to service disruption, and bypass of the intended privilege boundary. The vulnerability impacts any Arcane instance where non-admin users have access to the API and the instance depends on the global environment variables. Successful exploitation could allow full control of the host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Arcane greater than 1.19.1 to address CVE-2026-47125.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Arcane Global Variable Override via API\u0026quot; to detect unauthorized modifications to global environment variables via the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and monitor HTTP requests to the \u003ccode\u003e/api/environments/{id}/templates/variables\u003c/code\u003e endpoint for suspicious activity, particularly PUT requests from non-admin users.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization on all user-supplied data, including environment variable keys and values, to prevent injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-23T00:19:52Z","date_published":"2026-05-23T00:19:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-arcane-global-vars-auth-bypass/","summary":"A missing admin authorization check in the Arcane application on the `PUT /api/environments/{id}/templates/variables` endpoint allows any authenticated non-admin user to overwrite global environment variables, leading to supply-chain RCE, credential theft, and cross-tenant impact by overriding critical configuration values.","title":"Arcane Global Variables Endpoint Missing Admin Authorization Check","url":"https://feed.craftedsignal.io/briefs/2026-05-arcane-global-vars-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Arcane","version":"https://jsonfeed.org/version/1.1"}