CVE-2026-40242 HIGH

CVE-2026-40242: Arcane Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

Vendor Getarcaneapp
Product arcane
Weakness CWE-918 · SSRF
Published April 10, 2026
Last update April 13, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 13, 2026 Record updated