{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T17:39:02.568","vulnerabilities":[{"cve":{"id":"CVE-2026-23944","sourceIdentifier":"security-advisories@github.com","published":"2026-01-19T22:16:02.603","lastModified":"2026-06-17T10:22:19.737","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability."},{"lang":"es","value":"Arcane es una interfaz para gestionar contenedores Docker, imágenes, redes y volúmenes. Antes de la versión 1.13.2, las solicitudes no autenticadas podían ser redirigidas a agentes de entornos remotos, permitiendo el acceso a recursos de entornos remotos sin autenticación. El middleware de proxy de entorno manejaba las solicitudes `/api/environments/{id}/...` para entornos remotos antes de que se aplicara la autenticación. Cuando el ID del entorno no era local, el middleware redirigía la solicitud y adjuntaba el token de agente en posesión del gestor, incluso si el solicitante no estaba autenticado. Esto permitía el acceso no autenticado a operaciones de entornos remotos (por ejemplo, listar contenedores, transmitir registros u otros puntos finales de agente). Un atacante no autenticado podía acceder y manipular recursos de entornos remotos a través del proxy, lo que podría llevar a la exposición de datos, cambios no autorizados o interrupción del servicio. La versión 1.13.2 corrige la vulnerabilidad."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"getarcaneapp","product":"arcane","versions":[{"version":"< 1.13.2","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-21T21:16:41.364786Z","id":"CVE-2026-23944","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*","versionEndExcluding":"1.13.2","matchCriteriaId":"3331EF16-7450-4A37-8FD0-7BE706CC82C9"}]}]}],"references":[{"url":"https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/getarcaneapp/arcane/pull/1532","source":"security-advisories@github.com","tags":["Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}