arcane

v1.19.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Containers & Orchestration

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

compose container-management containers docker docker-management go

+4 more

self-hosted sveltekit typescript web-ui

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 13d

Arcane v1.19.1 denies non-HMAC JWT requests, closing an authentication abuse vector. Rate limiting on auth endpoints and database-backed sessions with proper jti handling complete a security hardening release.

Why it matters: v1.19.1 denies non-HMAC JWT requests to close an authentication abuse vector. Rate limiting and session hardening add defense-in-depth. Test in dev and plan deployment in next security patch cycle.

Summary

AI summary

Deny non-HMAC JWT requests closing an authentication abuse vector.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Denies non-HMAC JWT requests. Denies non-HMAC JWT requests. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Adds rate limiting to webhooks and auth endpoints, with caching for user sessions. Adds rate limiting to webhooks and auth endpoints, with caching for user sessions. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Allows custom redirect URL for OIDC on mobile devices. Allows custom redirect URL for OIDC on mobile devices. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Shows archived switch overlapping projects search bar correctly. Shows archived switch overlapping projects search bar correctly. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Displays correct environments types in filter. Displays correct environments types in filter. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Build history now updates after builds are completed. Build history now updates after builds are completed. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Corrects backend argument for Trivy on 32-bit hosts. Corrects backend argument for Trivy on 32-bit hosts. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Stores user sessions in the database with proper jti. Stores user sessions in the database with proper jti. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Migrates backend router from Gin to Echo. Migrates backend router from Gin to Echo. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Bug fixes

show archived switch overlapping projects search bar(d02a05c by @kmendell)
show correct environments types in filter (#2578 by @kmendell)
build history not being updated after builds are completed (#2586 by @kmendell)
incorrect backend arg used for trivy on 32bit hosts (#2587 by @kmendell)
updater api authorization checks (#2588 by @kmendell)
deny non hmac jwt requests(d568d03 by @kmendell)
add rate limiting to webhooks and auth endpoints, and add caching to user session (#2591 by @kmendell)

Other

add mobile device custom redirect url for oidc (#2580 by @kmendell)
migrate off gin to use echo for backend router (#2582 by @kmendell)
store user sessions in database with proper jti (#2590 by @kmendell)

Full Changelog: https://github.com/getarcaneapp/arcane/compare/v1.19.0...v1.19.1

Security Fixes

Deny non HMAC JWT requests — prevents unauthorized authentication abuse

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track arcane

Get notified when new releases ship.

About arcane

Modern Docker Management, Designed for Everyone

All releases →