CVE-2026-48050: Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

June 11, 2026

Arc registers Go’s net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

References

github.com/Basekick-Labs/arc/commit/32a4091fb949f9cf060cdd804a07f6450dc426a8
github.com/Basekick-Labs/arc/releases/tag/v26.06.1
github.com/Basekick-Labs/arc/security/advisories/GHSA-j93g-rp6m-j32m
github.com/advisories/GHSA-j93g-rp6m-j32m
nvd.nist.gov/vuln/detail/CVE-2026-48050

Code Behaviors & Features

Detect and mitigate CVE-2026-48050 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →