Skip to main content

ArcadeDB CVE-2026-54077

HIGH
Path Traversal (CWE-22)
2026-07-16 https://github.com/ArcadeData/arcadedb GHSA-8w86-m9h8-hvqg
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
vuln.today AI
7.6 HIGH

Network-reachable SQL endpoint with only low-privileged authentication (PR:L), no user interaction; high confidentiality from file/metadata read, low integrity since fetched data is written as records, low availability from DTD entity expansion.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:33 vuln.today
Analysis Generated
Jul 16, 2026 - 20:33 vuln.today
CVE Published
Jul 16, 2026 - 20:05 github-advisory
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 maven packages depend on com.arcadedb:arcadedb-engine (8 direct, 8 indirect)

Ecosystem-wide dependent count for version 26.6.1.

DescriptionGitHub Advisory

Impact

The SQL IMPORT DATABASE statement did not require administrative privileges and passed its source URL to the importer without validation. Any authenticated user with SQL command access (not only root/administrators) could therefore:

  • Server-Side Request Forgery (CWE-918): cause the server to issue HTTP(S) requests to arbitrary destinations, including cloud metadata endpoints (e.g. 169.254.169.254) and internal-only services, and ingest the responses as queryable records.
  • Arbitrary local file read (CWE-22): read local files reachable by the server process (e.g. /etc/passwd, credential files) by importing file:// paths, exposing their contents as records.

The server administration endpoint (/api/v1/server) was already restricted to the root user and was not affected; the exposure was through the database SQL command/query endpoints (/api/v1/command, /api/v1/query).

A related lower-severity hardening gap (CWE-776): the XML importer did not disable DTD processing, leaving entity-expansion (Billion Laughs) possible.

Affected component

integration/src/main/java/com/arcadedb/integration/importer/SourceDiscovery.java (no host allow-list for http(s); no path validation for file://), reached from engine/.../query/sql/parser/ImportDatabaseStatement.java.

Patches

  • IMPORT DATABASE now requires the administrative updateSecurity permission (no-op in embedded mode).
  • Import sources are validated in SourceDiscovery: HTTP(S) hosts resolving to loopback / link-local / private (site-local) / wildcard / multicast addresses are blocked by default (arcadedb.server.security.importBlockLocalNetworks, default true), and an optional local-path allow-list (arcadedb.server.security.importAllowedLocalPaths) restricts file:// reads.
  • The XML importer now disables DTD processing and external entities.

Fixed in commit referenced by pull request #4422.

Workarounds

Restrict SQL command/query access to trusted administrative users; do not grant query access to untrusted users on servers that can reach sensitive networks or hold sensitive local files. Upgrading is strongly recommended.

Credit

Reported by Bin Luo (luob87709@gmail.com).

AnalysisAI

Server-Side Request Forgery and arbitrary local file read in ArcadeDB before 26.6.1 let any authenticated user with SQL command/query access - not just root/administrators - abuse the SQL IMPORT DATABASE statement, whose source URL was passed to the importer unchecked. Because it required no administrative privileges, a low-privileged user could force the server to fetch arbitrary HTTP(S) endpoints (including cloud metadata at 169.254.169.254 and internal-only services) and ingest the responses as queryable records, or read local files such as /etc/passwd and credential files via file:// paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with SQL command access
Delivery
Submit IMPORT DATABASE with crafted source URL
Exploit
Server fetches metadata endpoint or reads file:// path
Execution
Response ingested as queryable records
Impact
Query back exfiltrated credentials or file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated ArcadeDB account (any user with SQL command/query access via `/api/v1/command` or `/api/v1/query`) on a server-mode deployment; administrative/root privileges are NOT required, which is the core of the flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L, base 7.1) aligns well with the description: network-reachable, low complexity, requires low-level authentication (PR:L - any user with SQL access, so authenticated but not administrative), no user interaction, high confidentiality impact (file/metadata disclosure), no integrity impact, and low availability impact (consistent with the Billion Laughs DTD expansion). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a non-administrative ArcadeDB account with SQL command access authenticates to `/api/v1/command` and issues an `IMPORT DATABASE` statement pointing at `http://169.254.169.254/latest/meta-data/iam/security-credentials/`, causing the server to fetch the cloud IAM credentials and store them as queryable records the attacker can then read back. Alternatively they import a `file:///etc/passwd` (or a config/credential file) path to exfiltrate local file contents. …
Remediation Vendor-released patch: upgrade to ArcadeDB 26.6.1 (https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1), which fixes the issue via pull request #4422. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running ArcadeDB prior to version 26.6.1 and immediately restrict SQL IMPORT DATABASE command access to trusted administrative staff; enable and review access logs for any unauthorized queries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-54077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy