An authorization bypass in the Arcane management interface allows authenticated users to exfiltrate plaintext Git credentials by exploiting improperly protected API endpoints.

Multiple API endpoints related to Git repository management fail to invoke the checkAdmin(ctx) helper, and the authentication middleware only verifies the user role rather than admin privileges. An authenticated user can manipulate repository URLs to trick the system into leaking PATs or SSH keys to an attacker-controlled host.

With a CVSS score of 9.9, this vulnerability poses a severe threat to organizations using GitOps workflows. Successful exploitation enables an attacker to steal highly sensitive credentials, potentially granting them access to private source code repositories, CI/CD pipelines, and internal infrastructure.

Immediate Action: Update the Arcane management interface to version 1.19.0 or later to enforce proper admin authorization checks.

Proactive Monitoring: Review audit logs for unusual activity on /api/customize/git-repositories or /api/git-repositories/sync endpoints, particularly from non-admin accounts.

Compensating Controls: Restrict access to the Arcane management interface to trusted internal networks and implement IP-based access control lists (ACLs) to limit the exposure of the API.

Public Exploit Available: No data available.

This vulnerability highlights the risk of inconsistent authorization enforcement. Organizations should immediately apply the update and rotate any credentials that may have been accessible via the Arcane interface to ensure the security of integrated Git repositories.