Cyber Resilience

CVE-2026-40242

HighPublic PoC

Published: 10 April 2026

Published
10 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0093 76.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40242 is a high-severity SSRF (CWE-918) vulnerability in Getarcane Arcane. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.17.3, its /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs an unauthenticated server-side HTTP GET request to that URL without validating the scheme or host. The response is returned directly to the caller, creating an unauthenticated SSRF vulnerability (CWE-918) that affects any publicly reachable Arcane instance and carries a CVSS 3.1 score of 7.2.

An unauthenticated remote attacker can supply an arbitrary URL to the endpoint and cause the Arcane server to retrieve and return the corresponding resource. This allows the attacker to probe or interact with internal hosts, cloud metadata services, or other network resources reachable from the server, resulting in limited confidentiality and integrity impacts without requiring user interaction.

The vulnerability is fixed in Arcane 1.17.3, as stated in the project's release notes and the accompanying GitHub Security Advisory GHSA-ff24-4prj-gpmj. The advisory and patch are available at the referenced GitHub URLs.

EU & UK References

Vulnerability details

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or…

more

host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

Unauthenticated SSRF in public-facing Arcane app directly enables T1190 (Exploit Public-Facing Application). Ability to issue arbitrary internal HTTP requests and relay responses facilitates T1046 (Network Service Discovery) via port scanning and internal service interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918
CVE-2025-1849Shared CWE-918

Affected Assets

getarcane
arcane
≤ 1.17.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the caller-supplied URL parameter at the /api/templates/fetch endpoint to prevent SSRF exploitation.

prevent

Enforces authentication and authorization to block unauthenticated access to the vulnerable /api/templates/fetch endpoint.

preventdetect

Monitors and controls outbound communications at system boundaries to mitigate SSRF attempts to internal or arbitrary hosts.

References