<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Arcadedb-Engine (&lt; 26.6.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/arcadedb-engine--26.6.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:07:35 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/arcadedb-engine--26.6.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>ArcadeDB IMPORT DATABASE Allows SSRF and Arbitrary Local File Read</title><link>https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/</link><pubDate>Thu, 16 Jul 2026 20:07:35 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/</guid><description>Authenticated users can exploit an unvalidated `IMPORT DATABASE` function in ArcadeDB (CVE-2026-54077) to perform Server-Side Request Forgery (CWE-918) against cloud metadata endpoints and internal services, or achieve arbitrary local file read (CWE-22) via `file://` paths, exposing sensitive data.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-54077) in ArcadeDB versions prior to 26.6.1 allows authenticated users to perform Server-Side Request Forgery (SSRF) and arbitrary local file reads. The flaw exists in the <code>IMPORT DATABASE</code> SQL statement, which did not require administrative privileges and failed to validate the source URL provided to its importer. This allows any authenticated user with SQL command access, not just root or administrators, to force the ArcadeDB server to make HTTP(S) requests to arbitrary internal and external destinations, including cloud metadata endpoints (e.g., <code>169.254.169.254</code>). Attackers can also leverage <code>file://</code> paths to read sensitive local files, such as <code>/etc/passwd</code> or credential files, which are then ingested as queryable database records. The issue is critical as it enables information disclosure, internal network reconnaissance, and potential lateral movement from a compromised authenticated user account within an ArcadeDB deployment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user with SQL command access connects to the ArcadeDB server's SQL command/query endpoints (<code>/api/v1/command</code>, <code>/api/v1/query</code>).</li>
<li>The user crafts and executes an <code>IMPORT DATABASE</code> SQL statement specifying a target URL or file path.</li>
<li>To achieve Server-Side Request Forgery (SSRF), the user provides an HTTP(S) URL pointing to an internal service or a cloud metadata endpoint (e.g., <code>http://169.254.169.254/latest/meta-data/</code>).</li>
<li>The ArcadeDB server executes the <code>IMPORT DATABASE</code> statement, making an unvalidated outbound HTTP(S) request to the specified URL.</li>
<li>The server ingests the HTTP response content from the internal service or cloud metadata endpoint into a database record, allowing the attacker to query the retrieved information.</li>
<li>Alternatively, to achieve arbitrary local file read, the user provides a <code>file://</code> path to a sensitive system file (e.g., <code>file:///etc/passwd</code>, <code>/etc/shadow</code>, or credential files).</li>
<li>The ArcadeDB server executes the <code>IMPORT DATABASE</code> statement, attempting to read the local file without proper path validation.</li>
<li>The server ingests the file's content into a database record, enabling the authenticated attacker to retrieve and view the sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54077 allows authenticated users to bypass security controls, gaining unauthorized access to internal network resources and sensitive local files residing on the ArcadeDB server. This can lead to significant information disclosure, including cloud instance metadata, internal service configurations, and system-level credentials. Any organization using vulnerable versions of ArcadeDB is at risk, particularly if untrusted users have SQL query access or if the server is deployed in an environment with access to sensitive internal networks or cloud APIs. The consequences of this data exposure could include unauthorized data exfiltration, lateral movement within the network, or further exploitation of exposed internal services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54077 by upgrading ArcadeDB to version <code>26.6.1</code> or later immediately.</li>
<li>Restrict SQL command/query access in ArcadeDB to only trusted administrative users, as specified in the workarounds section of the advisory.</li>
<li>Deploy the provided Sigma rules to your SIEM and tune them for your environment, especially regarding the specific process identity of your ArcadeDB instance, to detect suspicious network connections and file access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>arcadedb</category><category>ssrf</category><category>file-read</category><category>cve</category><category>database</category></item><item><title>ArcadeDB Authorization Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/</link><pubDate>Tue, 05 May 2026 22:22:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/</guid><description>ArcadeDB versions prior to 26.4.2 are vulnerable to an authorization bypass, allowing authenticated users and API tokens scoped to a specific database to read, write, and mutate schema on any other database on the same server, and disabling the record-level authorization system for newly created databases.</description><content:encoded><![CDATA[<p>ArcadeDB, a multi-model database, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.4.2. This vulnerability stems from two distinct defects: first, the <code>ServerSecurityUser.getDatabaseUser()</code> method returns a database user with an uninitialized file access map, which is then incorrectly interpreted as allowing all access. Second, the <code>ArcadeDBServer.createDatabase()</code> method omits the <code>factory.setSecurity(...)</code> call, effectively disabling the record-level authorization system for any database created via the API endpoint <code>POST /api/v1/server {&quot;command&quot;:&quot;create database X&quot;}</code>.  This combination of flaws allows authenticated principals to bypass both record-level and database-level authorization constraints.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the ArcadeDB server with valid credentials for a specific database.</li>
<li>The attacker leverages the <code>ServerSecurityUser.getDatabaseUser()</code> flaw to gain unauthorized access to other databases.</li>
<li>The attacker exploits the uninitialized <code>fileAccessMap</code> vulnerability, allowing them to bypass file access checks.</li>
<li>The attacker crafts a request to read data from a database they should not have access to, such as <code>GET /api/v1/database/OtherDatabase/query/sql/SELECT%20*%20FROM%20SomeTable</code>.</li>
<li>The server incorrectly authorizes the request due to the flawed access control mechanisms.</li>
<li>The attacker then attempts to modify the schema of another database using API calls that would normally be restricted based on database-level permissions. For example, <code>POST /api/v1/database/OtherDatabase {&quot;command&quot;:&quot;alter database X&quot;}</code>.</li>
<li>If an attacker creates a new database using <code>POST /api/v1/server {&quot;command&quot;:&quot;create database X&quot;}</code>, the record-level authorization system is disabled due to the missing <code>factory.setSecurity(...)</code> call.</li>
<li>The attacker then exploits the newly created database, which has no security checks, gaining complete control over its data and schema.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized access to sensitive data stored in other databases within the same ArcadeDB server. An attacker can read, write, and modify data across multiple databases, leading to potential data breaches, data corruption, and complete system compromise. Organizations using affected versions of ArcadeDB are at risk of significant data loss and reputational damage.  The vulnerability affects all deployments using versions prior to 26.4.2.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ArcadeDB server to version 26.4.2 to patch CVE-2026-44221 and resolve the authorization bypass vulnerability.</li>
<li>Monitor web server logs for unusual API requests targeting multiple databases from a single authenticated user to detect potential exploitation attempts, and deploy the provided Sigma rule <code>Detect ArcadeDB Database Access from Different IPs</code> to detect this activity.</li>
<li>Implement rate limiting on API endpoints to mitigate potential brute-force attacks aimed at exploiting this vulnerability and use <code>Detect ArcadeDB Unsecured Database Creation</code> Sigma rule to detect unauthorized database creation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>authorization bypass</category><category>privilege escalation</category><category>cve-2026-44221</category></item></channel></rss>