Arelle RCE: Unauthenticated Remote Code Execution in REST Endpoint
The National Vulnerability Database has disclosed CVE-2026-42796, a critical unauthenticated remote code execution (RCE) vulnerability affecting Arelle before version 2.39.10. This flaw resides within the /rest/configure REST endpoint, which accepts a plugins query parameter. Crucially, this parameter is forwarded directly to Arelle’s plugin manager without any authentication or authorization checks.
Attackers can exploit this by supplying a URL to a malicious Python file via the plugins parameter. The Arelle webserver will then download and execute this attacker-controlled code within its own process, inheriting its privileges. This provides a direct path to system compromise with minimal effort, earning a CVSS score of 9.8 (Critical) and aligning with CWE-306 (Missing Authentication for Critical Function).
This is a low-complexity, high-impact vulnerability. Organizations utilizing Arelle in any web-facing capacity are directly exposed. The lack of authentication makes this a prime target for opportunistic attackers looking for an easy entry point into corporate networks.
What This Means For You
- If your organization uses Arelle, you need to immediately identify all instances, especially those exposed to the internet. Prioritize patching to version 2.39.10 or later without delay. If immediate patching isn't feasible, consider network-level access restrictions to the `/rest/configure` endpoint to mitigate the risk until a patch can be applied. Assume any unpatched, exposed instance is already compromised.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42796: Arelle Unauthenticated RCE via /rest/configure
title: CVE-2026-42796: Arelle Unauthenticated RCE via /rest/configure
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects unauthenticated requests to the /rest/configure endpoint with a 'plugins' query parameter, which is the entry point for CVE-2026-42796. This vulnerability allows attackers to supply a URL to a malicious Python file, leading to remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42796/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/rest/configure'
cs-uri-query|contains:
- 'plugins='
cs-method|exact:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42796 | RCE | Arelle webserver |
| CVE-2026-42796 | RCE | Arelle before 2.39.10 |
| CVE-2026-42796 | RCE | /rest/configure REST endpoint |
| CVE-2026-42796 | RCE | plugins query parameter |
| CVE-2026-42796 | Auth Bypass | unauthenticated access to plugin manager |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...