CVE-2026-45625

🗓️ 29 May 2026 17:10:57Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 19 Views🌐 WEB

CVE-2026-45625: Arcane prior to 1.19.0 allows non-admins to exfiltrate Git credentials via git endpoints.

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2026-45625	29 May 202617:10	–	attackerkb
Circl	CVE-2026-45625	29 May 202620:24	–	circl
CNNVD	arcane 安全漏洞	29 May 202600:00	–	cnnvd
Cvelist	CVE-2026-45625 Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs	29 May 202617:10	–	cvelist
EUVD	EUVD-2026-33373	29 May 202617:10	–	euvd
Github Security Blog	Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs	18 May 202613:44	–	github
NVD	CVE-2026-45625	29 May 202618:17	–	nvd
OSV	GHSA-7H26-HG47-P9HX Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs	18 May 202613:44	–	osv
Positive Technologies	PT-2026-41692	18 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-45625	1 Jun 202622:03	–	redhatcve

Vulners

Node

getarcaneapp arcaneRange<1.19.0

[
  {
    "vendor": "getarcaneapp",
    "product": "arcane",
    "versions": [
      {
        "version": "< 1.19.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/getarcaneapp/arcane/security/advisories/GHSA-7h26-hg47-p9hx

Parameter	Position	Path	Description	CWE
repositoryURL	query param	/api/customize/git-repositories/list	End-user reachable list endpoint allows operations without admin check, enabling credential exposure via subsequent /test, /branches, or /files calls.	CWE-862
token	query param	/api/customize/git-repositories/list	End-user reachable list endpoint allows operations without admin check, enabling credential exposure via subsequent /test, /branches, or /files calls.	CWE-862
sshKey	query param	/api/customize/git-repositories/list	End-user reachable list endpoint allows operations without admin check, enabling credential exposure via subsequent /test, /branches, or /files calls.	CWE-862
repositoryURL	request body	/api/customize/git-repositories/create	Create git repository config without enforcing admin role, risking exposure of stored credentials on next test/branch/file calls.	CWE-862
token	request body	/api/customize/git-repositories/create	Create git repository config without enforcing admin role, risking exposure of stored credentials on next test/branch/file calls.	CWE-862
sshKey	request body	/api/customize/git-repositories/create	Create git repository config without enforcing admin role, risking exposure of stored credentials on next test/branch/file calls.	CWE-862
repositoryID	path	/api/customize/git-repositories/get	Get git repository config without admin check, potentially exposing credentials on subsequent operations.	CWE-862
token	path	/api/customize/git-repositories/get	Get git repository config without admin check, potentially exposing credentials on subsequent operations.	CWE-862
sshKey	path	/api/customize/git-repositories/get	Get git repository config without admin check, potentially exposing credentials on subsequent operations.	CWE-862
repositoryID	request body	/api/customize/git-repositories/update	Update repository config without admin verification, may trigger credential decryption and exfiltration on next calls.	CWE-862

17 Jun 2026 10:52Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.19.9

EPSS0.00387

SSVC

CWE-862