<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Arcadedb-Engine (&lt; 26.7.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/arcadedb-engine--26.7.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:17:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/arcadedb-engine--26.7.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>ArcadeDB Trigger Script RCE via Java.lang.* Allow-list</title><link>https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/</link><pubDate>Thu, 16 Jul 2026 20:17:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/</guid><description>A vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.</description><content:encoded><![CDATA[<p>A high-severity vulnerability has been identified in ArcadeDB, affecting versions prior to 26.7.2. The <code>ScriptTriggerExecutor</code> component, responsible for executing trigger scripts, includes <code>java.lang.*</code> in its allowed packages. This oversight permits an authenticated attacker with <code>UPDATE_SCHEMA</code> privileges (a schema administrator) to craft and deploy a malicious JavaScript trigger. When such a trigger fires, it can invoke <code>java.lang.Runtime.exec()</code>, leading to arbitrary operating system command execution on the host server where ArcadeDB is running. This effectively escalates privileges from a database schema administrator to remote code execution on the underlying operating system, posing a significant risk to the integrity and confidentiality of the host system and the data stored within ArcadeDB.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains <code>UPDATE_SCHEMA</code> administrative privileges within an ArcadeDB instance.</li>
<li>The attacker crafts a malicious database trigger script that includes an OS command execution payload.</li>
<li>The attacker registers this malicious trigger within ArcadeDB using the <code>CREATE TRIGGER ... EXECUTE JAVASCRIPT</code> command.</li>
<li>The JavaScript payload within the trigger leverages the permissive <code>java.lang.*</code> allow-list to call <code>Java.type(&quot;java.lang.Runtime&quot;).getRuntime().exec(...)</code>.</li>
<li>The crafted trigger is saved into the database schema, awaiting its activation conditions.</li>
<li>A subsequent database operation or event occurs that satisfies the conditions for the newly created malicious trigger to fire.</li>
<li>The ArcadeDB <code>ScriptTriggerExecutor</code> processes the trigger, and due to <code>java.lang.*</code> being in the allow-list, the <code>java.lang.Runtime.exec()</code> call is permitted.</li>
<li>The attacker's specified operating system commands are executed on the host server with the privileges of the ArcadeDB process, achieving remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in arbitrary remote code execution on the server hosting ArcadeDB. This allows an attacker to completely compromise the underlying operating system, potentially leading to data exfiltration, deletion, or modification of any data accessible by the ArcadeDB process. While it requires an attacker to first obtain <code>UPDATE_SCHEMA</code> privileges, the RCE then allows for privilege escalation from a schema administrator role to full system control. The compromise can affect any operating system ArcadeDB is deployed on, including Windows, Linux, and macOS.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ArcadeDB installations immediately to version 26.7.2 or later to apply the official patch.</li>
<li>Review and ensure strict access controls are in place for users assigned <code>UPDATE_SCHEMA</code> privileges.</li>
<li>Administrators should monitor database logs for suspicious <code>CREATE TRIGGER</code> statements that include <code>JAVASCRIPT</code> execution.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ArcadeDB</category><category>RCE</category><category>vulnerability</category><category>java</category><category>database</category><category>privilege-escalation</category><category>SSRF</category><category>DoS</category><category>javascript</category><category>sql-command-injection</category></item></channel></rss>