Basekick Labs Arc CVE-2026-47735
HIGHLifecycle Timeline
2DescriptionCVE.org
Summary
Arc's user-SQL validator (internal/api/query.go:ValidateSQLRequest) blocked only read_parquet( and arc_partition_agg( via regex denylist. The broader DuckDB I/O function family - read_csv_auto, read_csv, read_json, read_json_auto, read_text, read_blob, glob, parquet_metadata, parquet_schema, read_xlsx, etc. - was not blocked. RBAC table-reference extraction inspected only FROM/JOIN clauses, so scalar table functions in the SELECT list slipped past both layers.
Impact
Any authenticated user, including a token with permissions: [], can read arbitrary local files via:
POST /api/v1/query
Authorization: Bearer <token>
{"sql": "SELECT * FROM read_csv_auto('/etc/passwd', header=false, columns={'l':'VARCHAR'}) LIMIT 5"}Confirmed reachable targets:
auth.db- bcrypt hashes for every API token, plus legacy SHA-256 rows.arc.toml- S3 secrets, TLS keys./proc/self/environ- environment-variable secrets.- Cross-tenant Parquet files - bypasses RBAC because the tenant scope is enforced at the table layer, not on raw file paths.
- SSRF when
httpfsis loaded (any S3-backed deployment) -read_csv_auto('http://169.254.169.254/latest/meta-data/...')reaches instance metadata IPs.
Patches
Fixed in 2026.06.1 (PR #442) via a structural sandbox at the DuckDB layer:
SET GLOBAL allowed_directories = [...]enumerates Arc's legitimate filesystem prefixes (storage roots + tier prefixes + import upload dir + compaction temp).SET GLOBAL enable_external_access = false(one-way at runtime).- Verified by reading back the flag.
After lockdown, DuckDB refuses to open any file outside the allowlist and refuses further INSTALL/LOAD. Already-loaded extensions remain callable.
Workarounds
- Restrict API access to known-trusted networks via firewall rules.
- Temporary mitigation: add
read_csv*/read_json*/globetc. todangerousSQLPatternininternal/api/query.gopending 2026.06.1.
Credits
Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.
AnalysisAI
Authenticated arbitrary local file read in Basekick Labs Arc analytics platform allows any token holder - even one with an empty permissions array - to exfiltrate sensitive host files (auth.db bcrypt hashes, arc.toml S3/TLS secrets, /proc/self/environ) and pivot to SSRF against cloud metadata endpoints by abusing unblocked DuckDB I/O functions in the SELECT clause. The flaw stems from an incomplete regex denylist in internal/api/query.go that filtered only read_parquet and arc_partition_agg while leaving the wider DuckDB I/O family (read_csv_auto, read_json, read_text, read_blob, glob, parquet_metadata, read_xlsx, etc.) and SELECT-list scalar table functions unguarded. No public exploit identified at time of analysis, but the GHSA advisory ships a working single-request proof-of-concept and the fix is shipped in Arc 2026.06.1.
Technical ContextAI
Arc embeds DuckDB to execute user-supplied SQL submitted to POST /api/v1/query. DuckDB exposes a rich family of scalar table functions that can open files directly by path (read_csv_auto, read_json/_auto, read_text, read_blob, glob, parquet_metadata, parquet_schema, read_xlsx) and, when the httpfs extension is loaded, can also fetch HTTP/S3 URLs. Arc's defense was twofold: a regex denylist (ValidateSQLRequest) and an RBAC layer that parsed table references to enforce tenant scoping. The denylist enumerated only two function names, and the RBAC extractor inspected only FROM/JOIN clauses, so a table function placed in the SELECT projection bypassed both. The root cause maps to CWE-22 (Path Traversal) - the application accepts attacker-controlled file paths and passes them to a backend that performs unrestricted filesystem and network access. Affected package per CPE pkg:go/github.com_basekick-labs_arc; fix lands as a structural sandbox using DuckDB's SET GLOBAL allowed_directories and SET GLOBAL enable_external_access=false primitives, which are enforced uniformly across the connection pool.
RemediationAI
Vendor-released patch: upgrade to Arc 2026.06.1 (fix commit 91bdc29d1a02), which replaces the regex denylist with a structural DuckDB sandbox that sets allowed_directories to Arc's legitimate filesystem and object-storage prefixes and flips enable_external_access to false one-way at startup, then reads the flag back to verify. See https://github.com/Basekick-Labs/arc/pull/442 and https://github.com/Basekick-Labs/arc/commit/91bdc29d1a02178ccf8c66375eccf85203108dfb. Operators upgrading should note that storage.local_path, database.temp_directory, compaction.temp_directory, and the arcx storage root are now resolved to absolute paths, and multipart uploads move from os.TempDir() to ${database.temp_directory}/arc-uploads. If immediate upgrade is impossible, the vendor-suggested temporary mitigations are to restrict the /api/v1/query endpoint to known-trusted networks via firewall rules (trade-off: blocks legitimate remote analyst access) and to extend dangerousSQLPattern in internal/api/query.go to also block read_csv*, read_json*, read_text, read_blob, glob, parquet_metadata, parquet_schema, and read_xlsx (trade-off: regex denylist is what failed originally, so any missed alias or whitespace variant reopens the bypass). After upgrade, treat all previously issued API tokens and any secrets stored in auth.db, arc.toml, or process environment as potentially compromised and rotate them.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p2j4-c4g6-rpf5