Platform
docker
Component
arcane
Fixed in
1.17.4
CVE-2026-40242 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Arcane, an interface for managing Docker containers. This vulnerability allows an unauthenticated attacker to make arbitrary HTTP GET requests on behalf of the Arcane server, potentially exposing internal resources. The vulnerability impacts Arcane versions 1.0.0 through 1.17.2 and has been resolved in version 1.17.3.
The SSRF vulnerability in Arcane allows attackers to bypass access controls and potentially access internal services and data that are not directly exposed to the internet. An attacker could craft a malicious URL to the /api/templates/fetch endpoint, instructing Arcane to retrieve data from internal network resources, cloud metadata services (like AWS or Azure instance details), or even external websites. This could lead to information disclosure, privilege escalation, or further exploitation of other vulnerabilities within the internal network. The lack of authentication and URL validation makes this vulnerability particularly concerning, as any publicly accessible Arcane instance is at risk.
CVE-2026-40242 was publicly disclosed on 2026-04-10. The vulnerability's simplicity and lack of authentication suggest a potentially high probability of exploitation (EPSS score likely medium to high). While no public proof-of-concept (PoC) has been widely reported, the SSRF nature of the vulnerability makes it easily exploitable. It is listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40242 is to immediately upgrade Arcane to version 1.17.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Arcane instance using a firewall or network segmentation. A Web Application Firewall (WAF) could be configured to block requests to the /api/templates/fetch endpoint or filter requests based on the URL scheme and host. Monitor Arcane logs for suspicious activity, specifically requests to unusual or internal URLs. After upgrading, confirm the fix by attempting to access an internal resource via the /api/templates/fetch endpoint; the request should be denied.
Update Arcane to version 1.17.3 or higher to mitigate the SSRF vulnerability. This update corrects the lack of URL validation in the /api/templates/fetch endpoint, preventing attackers from performing arbitrary HTTP requests through the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40242 is a Server-Side Request Forgery (SSRF) vulnerability in Arcane versions 1.0.0 through 1.17.2, allowing unauthenticated attackers to make HTTP requests on behalf of the server.
If you are running Arcane versions 1.0.0 through 1.17.2, you are potentially affected by this SSRF vulnerability.
Upgrade Arcane to version 1.17.3 or later to remediate the vulnerability. Consider temporary workarounds like firewall restrictions or WAF rules if immediate upgrading is not possible.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active campaigns.
Refer to the official Arcane project documentation and security advisories for the most up-to-date information regarding CVE-2026-40242.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.