CVE-2026-40242
Published: 10 April 2026
Summary
CVE-2026-40242 is a high-severity SSRF (CWE-918) vulnerability in Getarcane Arcane. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the caller-supplied URL parameter at the /api/templates/fetch endpoint to prevent SSRF exploitation.
Enforces authentication and authorization to block unauthenticated access to the vulnerable /api/templates/fetch endpoint.
Monitors and controls outbound communications at system boundaries to mitigate SSRF attempts to internal or arbitrary hosts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing Arcane app directly enables T1190 (Exploit Public-Facing Application). Ability to issue arbitrary internal HTTP requests and relay responses facilitates T1046 (Network Service Discovery) via port scanning and internal service interaction.
NVD Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or…
more
host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.
Deeper analysisAI
CVE-2026-40242 is an unauthenticated server-side request forgery (SSRF) vulnerability in Arcane, an interface for managing Docker containers, images, networks, and volumes. In versions prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied URL parameter and performs a server-side HTTP GET request to that URL without requiring authentication, URL scheme validation, or host validation. The response from the requested server is then returned directly to the caller, enabling exploitation on any publicly reachable Arcane instance. The vulnerability is classified under CWE-918 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Any unauthenticated attacker with network access to a vulnerable Arcane instance can exploit this flaw by sending a crafted request to the /api/templates/fetch endpoint, tricking the server into making unintended HTTP requests to arbitrary URLs. This allows attackers to interact with internal services, conduct port scanning, or exfiltrate data from resources inaccessible from the public internet, as the server's response is relayed back to the attacker. The changed scope in the CVSS vector highlights the potential for impact beyond the vulnerable component itself.
The vulnerability is fixed in Arcane version 1.17.3, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v1.17.3 or later and review configurations to ensure Arcane instances are not publicly exposed unless necessary. Relevant resources include the GitHub release at https://github.com/getarcaneapp/arcane/releases/tag/v1.17.3 and the advisory at https://github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj.
Details
- CWE(s)