Skip to main content

ArcadeDB CVE-2026-44221

CRITICAL
Incorrect Authorization (CWE-863)
2026-05-05 https://github.com/ArcadeData/arcadedb GHSA-fxc7-fm93-6q77
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 23:01 vuln.today
Analysis Generated
May 05, 2026 - 23:01 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 maven packages depend on com.arcadedb:arcadedb-server (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 26.4.2.

DescriptionGitHub Advisory

Impact

Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.

Patches

Upgrade to version 26.4.2

Resources

https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8

AnalysisAI

Authenticated users in ArcadeDB server versions prior to 26.4.2 can bypass database-scoped authorization and perform read, write, and schema mutation operations across all databases on the same server instance. Two critical implementation flaws combine: uninitialized file access maps treated as allow-all permissions, and newly-created databases via API POST /api/v1/server silently disabling their entire record-level authorization system through omitted security factory configuration. Vendor-released patch 26.4.2 addresses both defects. No public exploit identified at time of analysis, though CVSS 9.0 reflects severe authorization breakdown requiring only low-privilege authenticated access.

Technical ContextAI

ArcadeDB is a multi-model graph/document database server (Maven package com.arcadedb:arcadedb-server). The vulnerability stems from CWE-863 (Incorrect Authorization) implemented through two distinct authorization bypass mechanisms. First, ServerSecurityUser.getDatabaseUser() returned database user objects with uninitialized fileAccessMap fields, which the requestAccessOnFile authorization check incorrectly interpreted as granting universal access rather than denying by default. Second, ArcadeDBServer.createDatabase() omitted the factory.setSecurity() call when processing REST API database creation requests, causing all databases created via POST /api/v1/server {"command":"create database X"} to have their LocalSecurityContext entirely absent, disabling both record-level and type-level access controls. The Git commit diff shows fixes adding checkPermissionsOnDatabase calls during schema operations, injecting factory.setSecurity(getSecurity()) during database creation, and refactoring getDatabaseGroupsConfiguration to properly merge wildcard and database-specific group permissions rather than returning uninitialized objects.

RemediationAI

Upgrade ArcadeDB server to version 26.4.2 immediately, available from Maven Central (com.arcadedb:arcadedb-server:26.4.2) and confirmed by vendor advisory GHSA-fxc7-fm93-6q77. The fix commit 04110c06315da55604ac107f71fe7182f3a3deb8 addresses both authorization bypass mechanisms through code changes to LocalDocumentType.createProperty (adds schema permission checks), ArcadeDBServer.createDatabase (injects security factory), and ServerSecurity.getDatabaseGroupsConfiguration (properly merges wildcard and database-specific permissions). No workaround provides equivalent security-the authorization logic flaws are structural. For organizations unable to patch immediately, implement network-level database isolation placing each ArcadeDB database on separate server instances behind dedicated firewalls, accepting the operational overhead and loss of multi-database query capabilities. Disable the POST /api/v1/server database creation endpoint via reverse proxy ACLs to mitigate the second defect, though the first defect (cross-database access via uninitialized maps) remains exploitable. Audit all API tokens and user accounts for scope violations post-upgrade, as prior unauthorized cross-database operations would not have generated authorization failure logs.

Share

CVE-2026-44221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy