HIGH 8.2

CVE-2026-45627: Arcane Reflected XSS in Logo Endpoint Allows Admin Account Takeover

Arcane, a Docker container management interface, contains a reflected cross-site scripting (XSS) vulnerability in its unauthenticated logo endpoint. An attacker can craft a malicious URL containing injected CSS or JavaScript that gets reflected into an SVG document served to a logged-in admin user. When the admin visits this link, the injected script executes in the browser with full access to Arcane's origin, including HttpOnly session cookies, potentially leading to complete account compromise. The vulnerability exists because the endpoint does not properly escape user input and the application lacks protective HTTP headers. This issue is resolved in Arcane version 1.19.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the unauthenticated GET /api/app-images/logo endpoint, which accepts a color query parameter and reflects it unsanitized into an SVG document using strings.ReplaceAll without HTML/XML entity encoding. The substitution point is within a <style> element, allowing an attacker to break out of the CSS context by closing the style tag and injecting arbitrary HTML elements, particularly <script> tags. The response content-type is set to image/svg+xml, which modern browsers interpret as executable SVG content rather than a static image. Critically, Arcane does not set Content-Security-Policy or X-Content-Type-Options: nosniff headers, which would otherwise mitigate such attacks. Since the endpoint is unauthenticated, any URL is valid; however, the attack requires social engineering or phishing to trick an admin into visiting a malicious link. When a logged-in admin user accesses the crafted URL, JavaScript executes in Arcane's origin with access to HttpOnly JWT cookies set for that domain, enabling session hijacking and administrative privilege abuse.

Business impact

Successful exploitation results in complete compromise of administrative Arcane accounts. An attacker gains the ability to manage Docker containers, images, networks, and volumes on affected systems, potentially leading to service disruption, data exfiltration, lateral movement within containerized environments, or deployment of malicious workloads. Because the vulnerability requires admin-level victims, the blast radius is limited to privileged users, but the impact per compromise is severe. Organizations relying on Arcane as a critical management interface face risk of infrastructure sabotage or persistent access for further attacks.

Affected systems

Arcane versions prior to 1.19.0 are vulnerable. The vendor information is not provided in the advisory, so teams should verify their deployment version against the official Arcane release notes. All deployments of vulnerable Arcane versions are potentially at risk; however, exploitation requires an admin user to visit an attacker-controlled or attacker-modified link, so security awareness and email filtering provide some practical mitigation.

Exploitability

The vulnerability is relatively straightforward to exploit from a technical standpoint: an attacker constructs a URL with a malicious color parameter value that breaks out of the SVG style context and injects script tags. No special tools or zero-day complexity is required. However, exploitability in practice depends on social engineering—the attacker must convince an admin to click a link, typically via phishing or watering-hole tactics. The lack of CVSS prerequisites reflects the ease of the attack vector (network, unauthenticated) and the broad scope (compromises admin role across Arcane's origin), though the requirement for user interaction (UI=R) is reflected in the score.

Remediation

Upgrade Arcane to version 1.19.0 or later. This patch includes proper input validation and output encoding for the color parameter, eliminating the ability to inject script content. Teams should verify the patch version against official Arcane release notes before deploying. After patching, conduct a security review of any admin accounts to check for unauthorized activity or anomalous container/image modifications during the exposure window.

Patch guidance

1. Verify your current Arcane version by checking the deployed container or application settings. 2. Review the official Arcane release notes and security advisory for version 1.19.0 to confirm the fix and any breaking changes. 3. Plan a maintenance window to upgrade, as restarting Arcane may briefly interrupt Docker management operations. 4. Test the upgrade in a non-production environment if possible. 5. After upgrade, validate that the logo endpoint no longer reflects user input unsanitized by testing with a benign color parameter. 6. Monitor logs for any suspicious requests to /api/app-images/logo with unusual color parameters during the pre-patch period.

Detection guidance

Review web server or proxy access logs for requests to /api/app-images/logo with color parameter values containing HTML/XML special characters such as '<', '>', quotes, or common script injection patterns (e.g., '</style>', '<script>'). Monitor admin account activity for signs of unauthorized container, image, or volume modifications, unusual API calls, or login events from unexpected IP addresses. If Arcane logs HTTP requests, search for 400/403 responses to /api/app-images/logo during the window before the vulnerability was known to be fixed, as these may indicate failed injection attempts. Check browser console logs or network traffic on admin workstations for unexpected JavaScript execution or external script loads from Arcane's origin.

Why prioritize this

Although the CVSS score is 8.2 (HIGH), this vulnerability requires social engineering to exploit and targets only administrative users. Organizations should prioritize patching based on: (1) the number of admin users and their exposure to phishing or untrusted links; (2) the criticality of Arcane to infrastructure management; (3) the presence of other compensating controls (e.g., email filtering, admin security training). Teams operating Arcane in isolated or air-gapped environments face lower risk. However, the high confidence of exploitation once a user is tricked and the severity of admin compromise (full infrastructure access) justify treating this as a medium-to-high priority for most deployments.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects the combination of network accessibility (no authentication required to craft the URL), low attack complexity (simple URL manipulation), cross-origin scope (affects Arcane's administrative functionality), high confidentiality impact (admin account compromise exposes all container and image data), and low integrity impact (attacker can modify containers but does not directly corrupt stored data via this attack alone). The score is tempered by the requirement for user interaction (the admin must click the link) and the limitation to admin-level victims rather than all users. The lack of KEV status indicates no known widespread exploitation as of the publication date.

Frequently asked questions

What happens if an admin user visits a malicious logo link?

The attacker's JavaScript executes in the admin's browser in Arcane's origin. Because the admin is logged in and Arcane uses HttpOnly JWT cookies, the script can access and exfiltrate the session token, enabling the attacker to hijack the admin account and perform any action (create, modify, or delete containers; exfiltrate data; deploy malicious workloads).

Can users other than admins be compromised?

Technically, any user with a valid session could be tricked into visiting the malicious link. However, the vulnerability itself does not distinguish privilege levels—the impact depends on the victim's role. An attacker would gain the compromised user's privileges, so non-admin users represent lower-value targets but are not exempt from risk.

Does patching to 1.19.0 require any configuration changes?

The official Arcane documentation and release notes should be consulted for any migration steps. In most cases, upgrading to a patch version should be transparent. However, teams should always test patches in a staging environment before production deployment to check for compatibility with their specific setup.

If we are behind a WAF or proxy, are we protected?

A Web Application Firewall or reverse proxy with output encoding rules or CSP injection capabilities could block or sanitize malicious color parameters if configured correctly. However, such controls should not be relied upon as a substitute for patching. The application itself should properly encode user input, and the proxy should be viewed as a defensive layer, not a primary mitigation.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. No warranty is made regarding the completeness or accuracy of vendor product lists or patch version details. Organizations should verify patch availability and compatibility with their specific Arcane deployment against official vendor advisories. Proof-of-concept code or detailed exploitation techniques are not provided in this advisory. Security teams should validate all remediation steps in a test environment before production deployment. This vulnerability is tracked under MITRE CVE-2026-45627 and associated CWE-79 (Improper Neutralization of Input During Web Page Generation). Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).