CVE-2026-23944
Arcane allows unauthenticated proxy access to remote environments
Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability.
INFO
Published Date :
Jan. 19, 2026, 10:16 p.m.
Last Modified :
Feb. 2, 2026, 3:19 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update Arcane to version 1.13.2 or later.
- Ensure authentication is enforced for all requests.
- Review agent token handling for remote environments.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-23944.
| URL | Resource |
|---|---|
| https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb | Patch |
| https://github.com/getarcaneapp/arcane/pull/1532 | Issue Tracking Vendor Advisory Patch |
| https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 | Release Notes |
| https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr | Patch Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-23944 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-23944
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-23944 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-23944 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 02, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:* versions up to (excluding) 1.13.2 Added Reference Type GitHub, Inc.: https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb Types: Patch Added Reference Type GitHub, Inc.: https://github.com/getarcaneapp/arcane/pull/1532 Types: Issue Tracking, Patch, Vendor Advisory Added Reference Type GitHub, Inc.: https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 Types: Release Notes Added Reference Type GitHub, Inc.: https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr Types: Patch, Vendor Advisory -
New CVE Received by [email protected]
Jan. 19, 2026
Action Type Old Value New Value Added Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-306 Added Reference https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb Added Reference https://github.com/getarcaneapp/arcane/pull/1532 Added Reference https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 Added Reference https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr