Arcane Unauthenticated Template Content Disclosure Vulnerability

A vulnerability in Arcane's Huma backend prior to version 1.18.0 allows unauthenticated network clients to access and read the full Compose YAML and .env content of every custom template stored on the instance. This issue arises because four GET endpoints under /api/templates* are registered without any security requirements, creating a backend authorization gap. The 'Save as Template' feature in the Arcane UI inadvertently exposes sensitive environmental data, such as database passwords and API keys, verbatim. While the frontend treats these endpoints as authenticated areas, the lack of security enforcement in the backend leads to unauthorized access to operator secrets.

Impact

Exploitation of this vulnerability results in a pre-authentication confidentiality breach, allowing unauthorized access to sensitive environmental data stored in Compose templates. This data often includes database passwords, API keys, and other confidential information. Additionally, the vulnerability enables internal asset enumeration by disclosing metadata about all templates stored on the instance, including names, descriptions, and tags.

Reproduction

The vulnerability can be reproduced by sending unauthenticated GET requests to the affected endpoints under '/api/templates*'. This can be done using a network client or through a path-unaware reverse proxy. The response will include the full content of all locally stored Compose templates, including sensitive environmental data from the .env files.

Remediation

Users can update to Arcane version 1.18.0 or later, where this vulnerability has been patched.