{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcadedb-engine--26.7.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-engine (\u003c 26.7.2)"],"_cs_severities":["high"],"_cs_tags":["ArcadeDB","RCE","vulnerability","java","database","privilege-escalation","SSRF","DoS","javascript","sql-command-injection"],"_cs_type":"advisory","_cs_vendors":["ArcadeDB"],"content_html":"\u003cp\u003eA high-severity vulnerability has been identified in ArcadeDB, affecting versions prior to 26.7.2. The \u003ccode\u003eScriptTriggerExecutor\u003c/code\u003e component, responsible for executing trigger scripts, includes \u003ccode\u003ejava.lang.*\u003c/code\u003e in its allowed packages. This oversight permits an authenticated attacker with \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges (a schema administrator) to craft and deploy a malicious JavaScript trigger. When such a trigger fires, it can invoke \u003ccode\u003ejava.lang.Runtime.exec()\u003c/code\u003e, leading to arbitrary operating system command execution on the host server where ArcadeDB is running. This effectively escalates privileges from a database schema administrator to remote code execution on the underlying operating system, posing a significant risk to the integrity and confidentiality of the host system and the data stored within ArcadeDB.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e administrative privileges within an ArcadeDB instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious database trigger script that includes an OS command execution payload.\u003c/li\u003e\n\u003cli\u003eThe attacker registers this malicious trigger within ArcadeDB using the \u003ccode\u003eCREATE TRIGGER ... EXECUTE JAVASCRIPT\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload within the trigger leverages the permissive \u003ccode\u003ejava.lang.*\u003c/code\u003e allow-list to call \u003ccode\u003eJava.type(\u0026quot;java.lang.Runtime\u0026quot;).getRuntime().exec(...)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted trigger is saved into the database schema, awaiting its activation conditions.\u003c/li\u003e\n\u003cli\u003eA subsequent database operation or event occurs that satisfies the conditions for the newly created malicious trigger to fire.\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB \u003ccode\u003eScriptTriggerExecutor\u003c/code\u003e processes the trigger, and due to \u003ccode\u003ejava.lang.*\u003c/code\u003e being in the allow-list, the \u003ccode\u003ejava.lang.Runtime.exec()\u003c/code\u003e call is permitted.\u003c/li\u003e\n\u003cli\u003eThe attacker's specified operating system commands are executed on the host server with the privileges of the ArcadeDB process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in arbitrary remote code execution on the server hosting ArcadeDB. This allows an attacker to completely compromise the underlying operating system, potentially leading to data exfiltration, deletion, or modification of any data accessible by the ArcadeDB process. While it requires an attacker to first obtain \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges, the RCE then allows for privilege escalation from a schema administrator role to full system control. The compromise can affect any operating system ArcadeDB is deployed on, including Windows, Linux, and macOS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ArcadeDB installations immediately to version 26.7.2 or later to apply the official patch.\u003c/li\u003e\n\u003cli\u003eReview and ensure strict access controls are in place for users assigned \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eAdministrators should monitor database logs for suspicious \u003ccode\u003eCREATE TRIGGER\u003c/code\u003e statements that include \u003ccode\u003eJAVASCRIPT\u003c/code\u003e execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:22:19Z","date_published":"2026-07-16T20:17:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/","summary":"A vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.","title":"ArcadeDB Trigger Script RCE via Java.lang.* Allow-list","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Arcadedb-Engine (\u003c 26.7.2)","version":"https://jsonfeed.org/version/1.1"}