CVE-2026-40242
Published: 10 April 2026
Summary
CVE-2026-40242 is a high-severity SSRF (CWE-918) vulnerability in Getarcane Arcane. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.17.3, its /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs an unauthenticated server-side HTTP GET request to that URL without validating the scheme or host. The response is returned directly to the caller, creating an unauthenticated SSRF vulnerability (CWE-918) that affects any publicly reachable Arcane instance and carries a CVSS 3.1 score of 7.2.
An unauthenticated remote attacker can supply an arbitrary URL to the endpoint and cause the Arcane server to retrieve and return the corresponding resource. This allows the attacker to probe or interact with internal hosts, cloud metadata services, or other network resources reachable from the server, resulting in limited confidentiality and integrity impacts without requiring user interaction.
The vulnerability is fixed in Arcane 1.17.3, as stated in the project's release notes and the accompanying GitHub Security Advisory GHSA-ff24-4prj-gpmj. The advisory and patch are available at the referenced GitHub URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21599
Vulnerability details
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or…
more
host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing Arcane app directly enables T1190 (Exploit Public-Facing Application). Ability to issue arbitrary internal HTTP requests and relay responses facilitates T1046 (Network Service Discovery) via port scanning and internal service interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the caller-supplied URL parameter at the /api/templates/fetch endpoint to prevent SSRF exploitation.
Enforces authentication and authorization to block unauthenticated access to the vulnerable /api/templates/fetch endpoint.
Monitors and controls outbound communications at system boundaries to mitigate SSRF attempts to internal or arbitrary hosts.