{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/arcadedb-server--26.7.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-server (\u003c 26.7.2)"],"_cs_severities":["high"],"_cs_tags":["idor","authorization-bypass","arcadedb","web-application"],"_cs_type":"advisory","_cs_vendors":["ArcadeDB"],"content_html":"\u003cp\u003eArcadeDB, an open-source NoSQL graph database, contains a critical Insecure Direct Object Reference (IDOR) vulnerability (GHSA-x8mg-6r4p-87pf) affecting server versions prior to 26.7.2. This flaw allows a user with valid credentials, who is authorized to access only one database, to bypass authorization checks and gain full read and write access to other, unauthorized databases within the same ArcadeDB instance. The vulnerability stems from 14 specific HTTP handlers (including those for batch operations, time-series data, Prometheus, and Grafana integrations) which directly extend \u003ccode\u003eAbstractServerHttpHandler\u003c/code\u003e instead of the secure \u003ccode\u003eDatabaseAbstractHandler\u003c/code\u003e, failing to invoke the crucial \u003ccode\u003euser.canAccessToDatabase()\u003c/code\u003e function. Exploitation of this vulnerability grants attackers unauthorized control over sensitive data across different databases, posing a significant risk of data exfiltration, manipulation, or integrity compromise. This issue directly impacts organizations using ArcadeDB for multi-tenant or segmented data storage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Authentication\u003c/strong\u003e: An attacker obtains valid user credentials for an ArcadeDB instance, successfully authenticating and gaining authorized access to at least one specific database (e.g., 'DB A').\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Vulnerable Endpoints\u003c/strong\u003e: The attacker identifies specific ArcadeDB HTTP API endpoints, such as \u003ccode\u003e/api/v1/batch/{db}\u003c/code\u003e, \u003ccode\u003e/api/v1/ts/{db}/write\u003c/code\u003e, or \u003ccode\u003e/api/v1/ts/{db}/prom/api/v1/query\u003c/code\u003e, which are known to be affected by the IDOR vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious HTTP Request\u003c/strong\u003e: The attacker crafts an HTTP request (GET or POST) targeting one of the identified vulnerable endpoints. Crucially, the attacker substitutes the database identifier in the URL path parameter (e.g., \u003ccode\u003e{db}\u003c/code\u003e) from their authorized database ('DB A') to an unauthorized target database ('DB B').\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization Bypass\u003c/strong\u003e: Upon receiving the request, the ArcadeDB server's vulnerable HTTP handler (e.g., PostBatchHandler or PostTimeSeriesWriteHandler) processes the \u003ccode\u003e{database}\u003c/code\u003e path parameter without invoking the necessary \u003ccode\u003euser.canAccessToDatabase()\u003c/code\u003e authorization check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Database Access\u003c/strong\u003e: The server proceeds to resolve and access the target database ('DB B') despite the attacker's lack of explicit authorization for it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePerform Unauthorized Operations\u003c/strong\u003e: The attacker successfully executes read (e.g., via \u003ccode\u003e/api/v1/ts/b/prom/api/v1/query\u003c/code\u003e) or write (e.g., via \u003ccode\u003e/api/v1/batch/b\u003c/code\u003e or \u003ccode\u003e/api/v1/ts/b/write\u003c/code\u003e) operations on the unauthorized 'DB B', receiving a \u0026quot;200 OK\u0026quot; HTTP status code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Manipulation\u003c/strong\u003e: Through these unauthorized operations, the attacker gains full control over 'DB B', allowing for data exfiltration, modification, or deletion, leading to compromise of data confidentiality and integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an authenticated attacker to bypass authorization controls, gaining complete read and write access to any database within the ArcadeDB instance, regardless of their assigned permissions. This leads to a severe compromise of data confidentiality and integrity across all databases. Attackers can exfiltrate sensitive information, alter critical data, or even delete entire database contents. Organizations utilizing ArcadeDB for multi-tenant environments or to segregate data by user/department are particularly at risk, as an attacker with low-privilege access to one database could escalate their privileges to access all others.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch ArcadeDB\u003c/strong\u003e: Immediately upgrade ArcadeDB server instances to version 26.7.2 or later to apply the necessary security fixes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Webserver Logs\u003c/strong\u003e: Deploy the Sigma rule in this brief to your SIEM and monitor webserver logs for HTTP requests targeting the vulnerable \u003ccode\u003e/api/v1/batch/\u003c/code\u003e and \u003ccode\u003e/api/v1/ts/\u003c/code\u003e API endpoints.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Access Logs\u003c/strong\u003e: Periodically review webserver access logs for anomalous requests to the \u003ccode\u003e/api/v1/batch/{db}\u003c/code\u003e and \u003ccode\u003e/api/v1/ts/{db}/*\u003c/code\u003e paths, particularly for requests to database names that the originating user should not have access to.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:21:14Z","date_published":"2026-07-16T20:21:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/","summary":"ArcadeDB server versions prior to 26.7.2 are vulnerable to a cross-database Insecure Direct Object Reference (IDOR) due to improper authorization checks in several HTTP handlers, enabling a user authorized for a specific database to gain full read and write access to other unauthorized databases by directly accessing specific API endpoints.","title":"ArcadeDB Cross-Database IDOR Vulnerability Allows Unauthorized Data Access","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Arcadedb-Server (\u003c 26.7.2)","version":"https://jsonfeed.org/version/1.1"}