Intelligence
criticalVulnerabilityActive

Arcane Backend: Broken Access Control on GitOps Credential Management Endpoints

Eight git repository management endpoints in Arcane lack admin role enforcement, allowing any authenticated user to read, modify, and exfiltrate stored Git credentials. This breaks the confidentiality and integrity of GitOps configurations and enables lateral movement via credential theft.

S
Sebastion

CVE References

CVE-2026-45625

Affected

Arcane/Arcane Backend

Vulnerability Description

This is a broken access control vulnerability (CWE-639, CWE-276) affecting Arcane's huma-based REST API. Nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync are designed for admin-only GitOps repository management but lack role-based authorization checks. The authentication middleware validates user identity but deliberately skips role enforcement, delegating it to per-endpoint checkAdmin(ctx) calls that were omitted from eight of nine endpoints. This allows any user with default user role to enumerate, create, update, and delete git repository configurations.

Proof-of-Concept Significance

The PoC demonstrates a two-stage attack chain with high reliability: (1) an attacker lists existing git repositories to identify targets, then (2) modifies a repository's URL to attacker-controlled infrastructure while leaving credential fields (token, sshKey) intact due to partial update semantics. When Arcane calls /test, /branches, or /files endpoints, it decrypts stored plaintext credentials and presents them as HTTP Basic auth or SSH key material to the attacker's host, enabling one-step credential exfiltration. The attack requires only valid authentication (not admin status) and succeeds against default deployments with no additional preconditions.

Detection Guidance

Log indicators:

  • Repeated POST /api/customize/git-repositories or PUT /api/git-repositories/{id} calls from non-admin user accounts
  • GET /api/customize/git-repositories list operations followed by repository updates with modified URLs
  • Unusual outbound HTTP/SSH connections from Arcane process to unrecognized hosts immediately after /test or /files API calls
  • Audit logs showing credential decryption operations triggered by non-admin user actions

Detection approach:

  • Monitor for API calls to git repository endpoints where userIsAdmin flag is false in request context
  • Alert on repository modifications that change the url field while omitting token/sshKey fields
  • Track outbound connections from Arcane to external hosts during credential test/verification operations
  • Review git credentials for signs of exposure (credential rotation alerts from upstream providers)

Mitigation Steps

Immediate actions:

  1. Patch urgently: Upgrade to the patched version when released; this is likely a single-line addition of checkAdmin(ctx) calls to all eight affected endpoints
  2. Restrict API access: Apply network-level controls limiting /api/customize/git-repositories and /api/git-repositories/sync access to known admin sources
  3. Credential rotation: Rotate all Git PATs, SSH keys, and credentials stored in Arcane repositories immediately; assume compromise
  4. Audit trails: Enable verbose audit logging for all git repository operations and review for unauthorized modifications in the past 30–90 days
  5. RBAC hardening: Verify that the authentication middleware enforces role checks at the middleware layer rather than delegating to individual handlers

Workarounds (if patching is delayed):

  • Disable git repository management endpoints via WAF/reverse proxy rules for non-admin IPs
  • Implement custom pre-auth checks in reverse proxy to block non-admin calls to these paths
  • Restrict user role assignments to eliminate default user accounts with API access

Risk Assessment

Likelihood of exploitation: High. This vulnerability requires only basic API knowledge and valid authentication credentials (which internal employees or compromised low-privilege accounts typically possess). No advanced exploitation techniques needed.

Threat actor interest: Critical. GitOps credentials and git repository configurations are high-value targets for supply chain attacks, lateral movement, and code injection. Attackers can use exfiltrated credentials to:

  • Inject malicious commits into GitOps repositories
  • Pivot to downstream systems deployed via GitOps pipelines
  • Access private source code repositories
  • Modify infrastructure-as-code

Wild exploitation likelihood: High, once PoC is public. The attack is deterministic, requires no exploits, and directly impacts CI/CD pipeline security. Cloud-native and DevOps-focused environments are particularly exposed.

Sources

pocbroken-access-controlcredential-exfiltrationgitops-securitycwe-639cwe-276authentication-bypass
Back to intelligence