EXECUTIVE SUMMARY:
CVE-2026-47125 with a CVSS score of 8.8 is a vulnerability in the go/github.com/getarcaneapp/arcane/backend package, specifically in versions less than or equal to 1.19.1, where the PUT /api/environments/{id}/templates/variables endpoint is missing an admin authorization check. This allows any authenticated non-admin user to call this endpoint with their bearer token or API key and overwrite the global environment variables used for variable substitution in every project's compose file, potentially redirecting image pulls to attacker-controlled registries, exfiltrating database credentials, or disrupting all projects. An attacker can exploit this vulnerability by accessing the affected endpoint with a valid bearer token or API key, resulting in the capability to modify system-wide environment variables. The business impact and consequences of exploiting this vulnerability include supply-chain RCE on the Docker host, exfiltration of sensitive data, and disruption of all projects. Prerequisites for exploitation include authenticated access to the affected endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47125 with a CVSS score of 8.8 is a vulnerability in the go/github.com/getarcaneapp/arcane/backend package, specifically in versions less than or equal to 1.19.1, where the PUT /api/environments/{id}/templates/variables endpoint is missing an admin authorization check. This allows any authenticated non-admin user to call this endpoint with their bearer token or API key and overwrite the global environment variables used for variable substitution in every project's compose file, potentially redirecting image pulls to attacker-controlled registries, exfiltrating database credentials, or disrupting all projects. An attacker can exploit this vulnerability by accessing the affected endpoint with a valid bearer token or API key, resulting in the capability to modify system-wide environment variables. The business impact and consequences of exploiting this vulnerability include supply-chain RCE on the Docker host, exfiltration of sensitive data, and disruption of all projects. Prerequisites for exploitation include authenticated access to the affected endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jpjh-jm2p-39hh