Attack Chain

1. An attacker identifies an Arcane instance running a version prior to 1.18.0.
2. The attacker sends an unauthenticated GET request to /api/templates to enumerate available templates, revealing names, descriptions, and tags.
3. The attacker sends an unauthenticated GET request to /api/templates/{id}/content to retrieve the content of a specific template.
4. The Arcane backend processes the request without authentication, due to missing security requirements on these endpoints.
5. The backend retrieves the requested template content, including the Content and EnvContent fields from the database.
6. The backend returns the template content to the attacker, including sensitive environment variables stored in plain text within the EnvContent.
7. The attacker extracts sensitive information, such as database passwords, API keys, and registry tokens, from the EnvContent.
8. The attacker uses the exposed credentials to gain unauthorized access to internal systems and services.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to access sensitive information stored within Arcane templates. This includes database passwords, API keys, and other secrets, potentially leading to unauthorized access to critical systems and data. The enumeration of templates also reveals internal services and infrastructure details, aiding further reconnaissance. This vulnerability affects any Arcane instance running a version prior to 1.18.0 where operators have stored sensitive information in custom Compose templates.

Recommendation

• Upgrade Arcane to version 1.18.0 or later to patch the vulnerability (CVE-2026-42461).
• Deploy the following Sigma rule to detect suspicious access to the template content endpoints.
• Review existing templates for sensitive information and rotate any exposed credentials immediately.
• Implement network segmentation to limit access to the Arcane instance.