Threat Advisory

Arcane Backend Vulnerability Exposes Authorization Bypass

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in arcane backend versions <= 1.18.1. The vulnerabilities include cross-site scripting (XSS) and missing admin authorization on Git repository endpoints, which can be exploited by attackers to gain unauthorized access and manipulate sensitive data. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data, including Git credentials, and potentially allow attackers to take control of administrative accounts. This can result in data breaches, disruption of services, and financial loss.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in arcane backend versions <= 1.18.1. The vulnerabilities include cross-site scripting (XSS) and missing admin authorization on Git repository endpoints, which can be exploited by attackers to gain unauthorized access and manipulate sensitive data. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data, including Git credentials, and potentially allow attackers to take control of administrative accounts. This can result in data breaches, disruption of services, and financial loss.[emaillocker id="1283"]

  • CVE-2026-45627 with a CVSS score of 8.2 – An unauthenticated reflected XSS vulnerability in the Arcane Backend's `GET /api/app-images/logo` endpoint allows attackers to inject executable script content, enabling them to take control of an admin account. This vulnerability can be exploited by navigating a logged-in admin victim to a crafted URL.
  • CVE-2026-45625 with a CVSS score of 9.9 – Missing admin authorization on eight of nine Git repository endpoints in the Arcane Backend allows non-admin users to list, create, modify, delete, and test git repository configurations. Attackers can repoint an existing repository's URL to an attacker-controlled host while omitting the `token`/`sshKey` fields, causing Arcane to decrypt the legitimate PAT/SSH key on its next `/test`, `/branches`, or `/files` call and present it as HTTP Basic auth to the attacker's host.

The overall risk and urgency of these vulnerabilities are high, as they can be exploited by attackers to gain unauthorized access to sensitive data and potentially take control of administrative accounts. If exploited, this can result in significant business consequences, including data breaches, disruption of services, and financial loss.

RECOMMENDATION:

  • We recommend you to update arcane backend to version 1.19.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-q2pj-8v84-9mh5
https://github.com/advisories/GHSA-7h26-hg47-p9hx

[/emaillocker]
crossmenu