How is CVE-2026-45627 exploited?

Network reachability (required): The attacker needs to reach the Arcane web interface over the network to deliver the crafted /api/app-images/logo URL. Authentication (not-required): The vulnerable endpoint is unauthenticated, so the attacker needs no Arcane credentials of their own. Victim interaction (required): A logged-in Arcane admin must be lured into clicking or navigating to the attacker's crafted URL for the injected script to execute. Attack complexity (info): Attack complexity is low: the parameter is reflected without escaping and no CSP or content-type protections need to be bypassed.

What is the impact of CVE-2026-45627?

Attacker-controlled JavaScript runs in Arcane's origin under the victim admin's session. The HttpOnly JWT cookie is replayed by the browser, letting the attacker drive authenticated admin API calls. Full administrative control of Arcane follows, including manipulation of Docker containers, images, networks, and volumes managed by the instance. Confidential data visible to the admin (container configs, secrets surfaced in the UI, registry credentials) can be read and exfiltrated.

Back to search

HIGHCVE-2026-45627Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45627: Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A reflected cross-site scripting flaw in Arcane, a Docker management interface, lets unauthenticated attackers inject JavaScript through the color query parameter of the /api/app-images/logo endpoint. The endpoint reflects the parameter into an SVG style block without escaping, and because Arcane returns the response as image/svg+xml with no Content-Security-Policy, a logged-in admin lured to a crafted URL executes attacker code in Arcane's origin and the session cookie carries the request through to full admin takeover. A patched-image rebuild at Arcane 1.19.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against Arcane images in customer registries and pipelines, including custom-built images that embed or repackage Arcane.

Available

Triage

Triage is available with the published CVSS 3.1 score of 8.2 (High) weighted against each customer's compliance policy, so internet-exposed or admin-facing Arcane deployments escalate ahead of isolated ones and route to the responsible inbox inside each customer org.

Available

Patch

A patched-image rebuild at Arcane 1.19.0 is available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a PR opened against the affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker needs to reach the Arcane web interface over the network to deliver the crafted /api/app-images/logo URL.
AuthenticationNot required
The vulnerable endpoint is unauthenticated, so the attacker needs no Arcane credentials of their own.
Victim interactionRequired
A logged-in Arcane admin must be lured into clicking or navigating to the attacker's crafted URL for the injected script to execute.
Attack complexityDetail
Attack complexity is low: the parameter is reflected without escaping and no CSP or content-type protections need to be bypassed.

Blast Radius

Attacker-controlled JavaScript runs in Arcane's origin under the victim admin's session.
The HttpOnly JWT cookie is replayed by the browser, letting the attacker drive authenticated admin API calls.
Full administrative control of Arcane follows, including manipulation of Docker containers, images, networks, and volumes managed by the instance.
Confidential data visible to the admin (container configs, secrets surfaced in the UI, registry credentials) can be read and exfiltrated.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Arcane 1.19.0 is published for environments running an affected version, and customers with auto-remediation enabled receive the rebuilt image, a regression-test run, and a PR opened against the affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy blocks auto-remediation, HarborGuard surfaces the fix version and suggests compensating controls such as restricting Arcane's admin UI to a trusted network, enforcing a strict Content-Security-Policy at the proxy, and instructing admins to log out of Arcane in browsers used for general browsing until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

getarcaneapp / arcane
< 1.19.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

https://github.com/getarcaneapp/arcane/security/advisories/GHSA-q2pj-8v84-9mh5