ArcadeDB CVE-2026-54076
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Network HTTP endpoint (AV:N), any authenticated token suffices (PR:L), no UI; schema tampering gives high integrity impact but no data disclosure (C:N) and only partial availability degradation (A:L).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 16 maven packages depend on com.arcadedb:arcadedb-engine (8 direct, 8 indirect)
Ecosystem-wide dependent count for version 26.6.1.
DescriptionGitHub Advisory
Impact
The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:
DROP PROPERTY <type>.<property>ALTER TYPE <name> SUPERTYPE +<other>/-<other>(change the inheritance hierarchy)ALTER TYPE <name> NAME <newName>(rename a type)- type alias and bucket changes
ALTER PROPERTY <type>.<property> ...(MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) - theLocalPropertysetters had no check at all
This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.
Affected component
Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.
Patches
Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.
Workarounds
Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.
Resources
Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.
Credit
Reported by Kai Aizen (SnailSploit).
Articles & Coverage 1
AnalysisAI
Missing-authorization schema tampering in ArcadeDB before 26.6.1 lets any authenticated identity - including a read-only API token that lacks the UPDATE_SCHEMA permission - mutate the database schema over the HTTP command/query endpoints. Because CVE-2026-44221's fix only added the UPDATE_SCHEMA check to LocalDocumentType.createProperty, the remaining schema mutators (DROP PROPERTY, ALTER TYPE, ALTER PROPERTY, type/bucket/alias changes) stayed unguarded, so a low-privilege user can drop properties, rename or re-parent types, and flip property constraints, corrupting the meaning of every stored record. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated identity on the target ArcadeDB database - the CVSS vector's PR:L confirms low-privilege authentication is needed, and the description specifies this can be as little as a read-only API token that lacks UPDATE_SCHEMA. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, base 8.1) is internally consistent with the description: network-reachable HTTP endpoints, low complexity, and low privileges (any authenticated token) with no user interaction, yielding high integrity impact and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any valid ArcadeDB credential or a read-only API token - for example a token issued to a reporting service - sends an SQL DDL statement such as DROP PROPERTY User.email or ALTER TYPE Account NAME LegacyAccount to the database command HTTP endpoint. The server executes it without checking UPDATE_SCHEMA, silently corrupting the schema so that stored records lose their meaning and dependent application logic breaks. … |
| Remediation | Vendor-released patch: 26.6.1 - upgrade ArcadeDB (arcadedb-engine) to 26.6.1 or later, where every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper (the check is a no-op in embedded mode and for system contexts with no bound user, so schema-load-at-startup, HA replication, and administrators are unaffected). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, prioritize upgrade planning to ArcadeDB 26.6.1 across all production systems and identify all applications and API token holders connected to affected instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vg6x-6pg9-6qwg