{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcadedb-engine--26.6.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-engine (\u003c 26.6.1)"],"_cs_severities":["high"],"_cs_tags":["arcadedb","ssrf","file-read","cve","database"],"_cs_type":"advisory","_cs_vendors":["ArcadeData"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-54077) in ArcadeDB versions prior to 26.6.1 allows authenticated users to perform Server-Side Request Forgery (SSRF) and arbitrary local file reads. The flaw exists in the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e SQL statement, which did not require administrative privileges and failed to validate the source URL provided to its importer. This allows any authenticated user with SQL command access, not just root or administrators, to force the ArcadeDB server to make HTTP(S) requests to arbitrary internal and external destinations, including cloud metadata endpoints (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e). Attackers can also leverage \u003ccode\u003efile://\u003c/code\u003e paths to read sensitive local files, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e or credential files, which are then ingested as queryable database records. The issue is critical as it enables information disclosure, internal network reconnaissance, and potential lateral movement from a compromised authenticated user account within an ArcadeDB deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with SQL command access connects to the ArcadeDB server's SQL command/query endpoints (\u003ccode\u003e/api/v1/command\u003c/code\u003e, \u003ccode\u003e/api/v1/query\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe user crafts and executes an \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e SQL statement specifying a target URL or file path.\u003c/li\u003e\n\u003cli\u003eTo achieve Server-Side Request Forgery (SSRF), the user provides an HTTP(S) URL pointing to an internal service or a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB server executes the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e statement, making an unvalidated outbound HTTP(S) request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe server ingests the HTTP response content from the internal service or cloud metadata endpoint into a database record, allowing the attacker to query the retrieved information.\u003c/li\u003e\n\u003cli\u003eAlternatively, to achieve arbitrary local file read, the user provides a \u003ccode\u003efile://\u003c/code\u003e path to a sensitive system file (e.g., \u003ccode\u003efile:///etc/passwd\u003c/code\u003e, \u003ccode\u003e/etc/shadow\u003c/code\u003e, or credential files).\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB server executes the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e statement, attempting to read the local file without proper path validation.\u003c/li\u003e\n\u003cli\u003eThe server ingests the file's content into a database record, enabling the authenticated attacker to retrieve and view the sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54077 allows authenticated users to bypass security controls, gaining unauthorized access to internal network resources and sensitive local files residing on the ArcadeDB server. This can lead to significant information disclosure, including cloud instance metadata, internal service configurations, and system-level credentials. Any organization using vulnerable versions of ArcadeDB is at risk, particularly if untrusted users have SQL query access or if the server is deployed in an environment with access to sensitive internal networks or cloud APIs. The consequences of this data exposure could include unauthorized data exfiltration, lateral movement within the network, or further exploitation of exposed internal services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54077 by upgrading ArcadeDB to version \u003ccode\u003e26.6.1\u003c/code\u003e or later immediately.\u003c/li\u003e\n\u003cli\u003eRestrict SQL command/query access in ArcadeDB to only trusted administrative users, as specified in the workarounds section of the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune them for your environment, especially regarding the specific process identity of your ArcadeDB instance, to detect suspicious network connections and file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:07:35Z","date_published":"2026-07-16T20:07:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/","summary":"Authenticated users can exploit an unvalidated `IMPORT DATABASE` function in ArcadeDB (CVE-2026-54077) to perform Server-Side Request Forgery (CWE-918) against cloud metadata endpoints and internal services, or achieve arbitrary local file read (CWE-22) via `file://` paths, exposing sensitive data.","title":"ArcadeDB IMPORT DATABASE Allows SSRF and Arbitrary Local File Read","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-44221"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-server","ArcadeDB","arcadedb-engine (\u003c 26.6.1)"],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","privilege escalation","cve-2026-44221"],"_cs_type":"advisory","_cs_vendors":["ArcadeData","ArcadeDB"],"content_html":"\u003cp\u003eArcadeDB, a multi-model database, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.4.2. This vulnerability stems from two distinct defects: first, the \u003ccode\u003eServerSecurityUser.getDatabaseUser()\u003c/code\u003e method returns a database user with an uninitialized file access map, which is then incorrectly interpreted as allowing all access. Second, the \u003ccode\u003eArcadeDBServer.createDatabase()\u003c/code\u003e method omits the \u003ccode\u003efactory.setSecurity(...)\u003c/code\u003e call, effectively disabling the record-level authorization system for any database created via the API endpoint \u003ccode\u003ePOST /api/v1/server {\u0026quot;command\u0026quot;:\u0026quot;create database X\u0026quot;}\u003c/code\u003e.  This combination of flaws allows authenticated principals to bypass both record-level and database-level authorization constraints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ArcadeDB server with valid credentials for a specific database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003eServerSecurityUser.getDatabaseUser()\u003c/code\u003e flaw to gain unauthorized access to other databases.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the uninitialized \u003ccode\u003efileAccessMap\u003c/code\u003e vulnerability, allowing them to bypass file access checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to read data from a database they should not have access to, such as \u003ccode\u003eGET /api/v1/database/OtherDatabase/query/sql/SELECT%20*%20FROM%20SomeTable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly authorizes the request due to the flawed access control mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to modify the schema of another database using API calls that would normally be restricted based on database-level permissions. For example, \u003ccode\u003ePOST /api/v1/database/OtherDatabase {\u0026quot;command\u0026quot;:\u0026quot;alter database X\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf an attacker creates a new database using \u003ccode\u003ePOST /api/v1/server {\u0026quot;command\u0026quot;:\u0026quot;create database X\u0026quot;}\u003c/code\u003e, the record-level authorization system is disabled due to the missing \u003ccode\u003efactory.setSecurity(...)\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe attacker then exploits the newly created database, which has no security checks, gaining complete control over its data and schema.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to sensitive data stored in other databases within the same ArcadeDB server. An attacker can read, write, and modify data across multiple databases, leading to potential data breaches, data corruption, and complete system compromise. Organizations using affected versions of ArcadeDB are at risk of significant data loss and reputational damage.  The vulnerability affects all deployments using versions prior to 26.4.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ArcadeDB server to version 26.4.2 to patch CVE-2026-44221 and resolve the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting multiple databases from a single authenticated user to detect potential exploitation attempts, and deploy the provided Sigma rule \u003ccode\u003eDetect ArcadeDB Database Access from Different IPs\u003c/code\u003e to detect this activity.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate potential brute-force attacks aimed at exploiting this vulnerability and use \u003ccode\u003eDetect ArcadeDB Unsecured Database Creation\u003c/code\u003e Sigma rule to detect unauthorized database creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:10:01Z","date_published":"2026-05-05T22:22:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/","summary":"ArcadeDB versions prior to 26.4.2 are vulnerable to an authorization bypass, allowing authenticated users and API tokens scoped to a specific database to read, write, and mutate schema on any other database on the same server, and disabling the record-level authorization system for newly created databases.","title":"ArcadeDB Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Arcadedb-Engine (\u003c 26.6.1)","version":"https://jsonfeed.org/version/1.1"}