ArcadeDB IMPORT DATABASE Allows SSRF and Arbitrary Local File Read
Authenticated users can exploit an unvalidated `IMPORT DATABASE` function in ArcadeDB (CVE-2026-54077) to perform Server-Side Request Forgery (CWE-918) against cloud metadata endpoints and internal services, or achieve arbitrary local file read (CWE-22) via `file://` paths, exposing sensitive data.
A high-severity vulnerability (CVE-2026-54077) in ArcadeDB versions prior to 26.6.1 allows authenticated users to perform Server-Side Request Forgery (SSRF) and arbitrary local file reads. The flaw exists in the IMPORT DATABASE SQL statement, which did not require administrative privileges and failed to validate the source URL provided to its importer. This allows any authenticated user with SQL command access, not just root or administrators, to force the ArcadeDB server to make HTTP(S) requests to arbitrary internal and external destinations, including cloud metadata endpoints (e.g., 169.254.169.254). Attackers can also leverage file:// paths to read sensitive local files, such as /etc/passwd or credential files, which are then ingested as queryable database records. The issue is critical as it enables information disclosure, internal network reconnaissance, and potential lateral movement from a compromised authenticated user account within an ArcadeDB deployment.
Attack Chain
- An authenticated user with SQL command access connects to the ArcadeDB server's SQL command/query endpoints (
/api/v1/command,/api/v1/query). - The user crafts and executes an
IMPORT DATABASESQL statement specifying a target URL or file path. - To achieve Server-Side Request Forgery (SSRF), the user provides an HTTP(S) URL pointing to an internal service or a cloud metadata endpoint (e.g.,
http://169.254.169.254/latest/meta-data/). - The ArcadeDB server executes the
IMPORT DATABASEstatement, making an unvalidated outbound HTTP(S) request to the specified URL. - The server ingests the HTTP response content from the internal service or cloud metadata endpoint into a database record, allowing the attacker to query the retrieved information.
- Alternatively, to achieve arbitrary local file read, the user provides a
file://path to a sensitive system file (e.g.,file:///etc/passwd,/etc/shadow, or credential files). - The ArcadeDB server executes the
IMPORT DATABASEstatement, attempting to read the local file without proper path validation. - The server ingests the file's content into a database record, enabling the authenticated attacker to retrieve and view the sensitive data.
Impact
Successful exploitation of CVE-2026-54077 allows authenticated users to bypass security controls, gaining unauthorized access to internal network resources and sensitive local files residing on the ArcadeDB server. This can lead to significant information disclosure, including cloud instance metadata, internal service configurations, and system-level credentials. Any organization using vulnerable versions of ArcadeDB is at risk, particularly if untrusted users have SQL query access or if the server is deployed in an environment with access to sensitive internal networks or cloud APIs. The consequences of this data exposure could include unauthorized data exfiltration, lateral movement within the network, or further exploitation of exposed internal services.
Recommendation
- Patch CVE-2026-54077 by upgrading ArcadeDB to version
26.6.1or later immediately. - Restrict SQL command/query access in ArcadeDB to only trusted administrative users, as specified in the workarounds section of the advisory.
- Deploy the provided Sigma rules to your SIEM and tune them for your environment, especially regarding the specific process identity of your ArcadeDB instance, to detect suspicious network connections and file access.
Detection coverage 2
Detects CVE-2026-54077 Exploitation - ArcadeDB SSRF to Cloud Metadata
highDetects outbound network connections from the ArcadeDB server process to known cloud metadata IP addresses (e.g., 169.254.169.254), indicative of CVE-2026-54077 exploitation via SSRF.
Detects CVE-2026-54077 Exploitation - ArcadeDB Local Sensitive File Read
highDetects file read events by the ArcadeDB server process targeting sensitive system files (e.g., /etc/passwd, /etc/shadow), which can occur during CVE-2026-54077 exploitation via arbitrary local file read.
Detection queries are available on the platform. Get full rules →