CVE-2026-40242: Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

April 10, 2026

The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server’s response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance.

References

github.com/advisories/GHSA-ff24-4prj-gpmj
github.com/getarcaneapp/arcane
github.com/getarcaneapp/arcane/releases/tag/v1.17.3
github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj
nvd.nist.gov/vuln/detail/CVE-2026-40242

Code Behaviors & Features

Detect and mitigate CVE-2026-40242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →