Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under…

CVE-2026-45625 affects Arcane, a Docker container management interface, prior to version 1.19.0. The vulnerability stems from insufficient authorization checks in REST API endpoints managing GitOps repositories. Eight endpoints under /api/customize/git-repositories and /api/git-repositories/sync fail to call the checkAdmin(ctx) helper function. This allows any authenticated user with default user role to perform administrative operations including listing, creating, modifying, and deleting git repository configurations. Attackers can exploit this by redirecting repository URLs to attacker-controlled hosts, causing Arcane to decrypt and transmit legitimate PAT/SSH keys as plaintext credentials. The vulnerability enables one-step exfiltration of Git credentials and has been fixed in version 1.19.0.