Skip to main content

ArcadeDB CVE-2026-54076

HIGH
Missing Authorization (CWE-862)
2026-07-16 https://github.com/ArcadeData/arcadedb GHSA-vg6x-6pg9-6qwg
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.1 HIGH

Network HTTP endpoint (AV:N), any authenticated token suffices (PR:L), no UI; schema tampering gives high integrity impact but no data disclosure (C:N) and only partial availability degradation (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:34 vuln.today
Analysis Generated
Jul 16, 2026 - 20:34 vuln.today
CVE Published
Jul 16, 2026 - 20:08 github-advisory
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 maven packages depend on com.arcadedb:arcadedb-engine (8 direct, 8 indirect)

Ecosystem-wide dependent count for version 26.6.1.

DescriptionGitHub Advisory

Impact

The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:

  • DROP PROPERTY <type>.<property>
  • ALTER TYPE <name> SUPERTYPE +<other> / -<other> (change the inheritance hierarchy)
  • ALTER TYPE <name> NAME <newName> (rename a type)
  • type alias and bucket changes
  • ALTER PROPERTY <type>.<property> ... (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) - the LocalProperty setters had no check at all

This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.

Affected component

Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.

Patches

Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.

Workarounds

Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.

Resources

Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.

Credit

Reported by Kai Aizen (SnailSploit).

AnalysisAI

Missing-authorization schema tampering in ArcadeDB before 26.6.1 lets any authenticated identity - including a read-only API token that lacks the UPDATE_SCHEMA permission - mutate the database schema over the HTTP command/query endpoints. Because CVE-2026-44221's fix only added the UPDATE_SCHEMA check to LocalDocumentType.createProperty, the remaining schema mutators (DROP PROPERTY, ALTER TYPE, ALTER PROPERTY, type/bucket/alias changes) stayed unguarded, so a low-privilege user can drop properties, rename or re-parent types, and flip property constraints, corrupting the meaning of every stored record. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege or read-only API token
Delivery
Reach database command/query HTTP endpoint
Exploit
Send ALTER TYPE / DROP PROPERTY DDL
Execution
Schema mutator runs without UPDATE_SCHEMA check
Impact
Schema corrupted, stored records lose meaning

Vulnerability AssessmentAI

Exploitation Requires an authenticated identity on the target ArcadeDB database - the CVSS vector's PR:L confirms low-privilege authentication is needed, and the description specifies this can be as little as a read-only API token that lacks UPDATE_SCHEMA. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, base 8.1) is internally consistent with the description: network-reachable HTTP endpoints, low complexity, and low privileges (any authenticated token) with no user interaction, yielding high integrity impact and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any valid ArcadeDB credential or a read-only API token - for example a token issued to a reporting service - sends an SQL DDL statement such as DROP PROPERTY User.email or ALTER TYPE Account NAME LegacyAccount to the database command HTTP endpoint. The server executes it without checking UPDATE_SCHEMA, silently corrupting the schema so that stored records lose their meaning and dependent application logic breaks. …
Remediation Vendor-released patch: 26.6.1 - upgrade ArcadeDB (arcadedb-engine) to 26.6.1 or later, where every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper (the check is a no-op in embedded mode and for system contexts with no bound user, so schema-load-at-startup, HA replication, and administrators are unaffected). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, prioritize upgrade planning to ArcadeDB 26.6.1 across all production systems and identify all applications and API token holders connected to affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-54076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy