Zurück zur Liste

Arcane: Missing admin authorization on global variables endpoint — CVE-2026-47125

GitHub · GitHub · CVE-2026-47125

ID
CVE-2026-47125

Datum
2026-05-23

Activity
2026-05-23

Quelle
GitHub

Vendor
GitHub

Risiko
high

CVSS
8.8

Zusammenfassung

## Summary The `PUT /api/environments/{id}/templates/variables` endpoint, which writes the system-wide `.env.global` file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By…

Produkt

go: github.com/getarcaneapp/arcane/backend

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Mehr dazu

GitHub GitHub 2026-W21

aiograpi: Unsafe signup challenge path handling

2026-05-23 CVE-2026-47157

mediumGitHub GitHub 2026-W21

AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py

2026-05-23 CVE-2026-8754

lowGitHub GitHub 2026-W21

Beetl's SpELFunction extension function has an expression injection risk

2026-05-23 CVE-2026-8759

mediumGitHub GitHub 2026-W21

DSA-6295-1 linux - security update

2026-05-23 DSA-6295-1

mediumDebian Debian 2026-W21

instagrapi: Unsafe signup challenge path handling in instagrapi

2026-05-23 GHSA-GGXF-37HM-9WQF

mediumGitHub GitHub 2026-W21

Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

2026-05-23 CVE-2026-47124

mediumGitHub GitHub 2026-W21