{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arcadedb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-server (\u003c 26.7.2)"],"_cs_severities":["high"],"_cs_tags":["idor","authorization-bypass","arcadedb","web-application"],"_cs_type":"advisory","_cs_vendors":["ArcadeDB"],"content_html":"\u003cp\u003eArcadeDB, an open-source NoSQL graph database, contains a critical Insecure Direct Object Reference (IDOR) vulnerability (GHSA-x8mg-6r4p-87pf) affecting server versions prior to 26.7.2. This flaw allows a user with valid credentials, who is authorized to access only one database, to bypass authorization checks and gain full read and write access to other, unauthorized databases within the same ArcadeDB instance. The vulnerability stems from 14 specific HTTP handlers (including those for batch operations, time-series data, Prometheus, and Grafana integrations) which directly extend \u003ccode\u003eAbstractServerHttpHandler\u003c/code\u003e instead of the secure \u003ccode\u003eDatabaseAbstractHandler\u003c/code\u003e, failing to invoke the crucial \u003ccode\u003euser.canAccessToDatabase()\u003c/code\u003e function. Exploitation of this vulnerability grants attackers unauthorized control over sensitive data across different databases, posing a significant risk of data exfiltration, manipulation, or integrity compromise. This issue directly impacts organizations using ArcadeDB for multi-tenant or segmented data storage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Authentication\u003c/strong\u003e: An attacker obtains valid user credentials for an ArcadeDB instance, successfully authenticating and gaining authorized access to at least one specific database (e.g., 'DB A').\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Vulnerable Endpoints\u003c/strong\u003e: The attacker identifies specific ArcadeDB HTTP API endpoints, such as \u003ccode\u003e/api/v1/batch/{db}\u003c/code\u003e, \u003ccode\u003e/api/v1/ts/{db}/write\u003c/code\u003e, or \u003ccode\u003e/api/v1/ts/{db}/prom/api/v1/query\u003c/code\u003e, which are known to be affected by the IDOR vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious HTTP Request\u003c/strong\u003e: The attacker crafts an HTTP request (GET or POST) targeting one of the identified vulnerable endpoints. Crucially, the attacker substitutes the database identifier in the URL path parameter (e.g., \u003ccode\u003e{db}\u003c/code\u003e) from their authorized database ('DB A') to an unauthorized target database ('DB B').\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization Bypass\u003c/strong\u003e: Upon receiving the request, the ArcadeDB server's vulnerable HTTP handler (e.g., PostBatchHandler or PostTimeSeriesWriteHandler) processes the \u003ccode\u003e{database}\u003c/code\u003e path parameter without invoking the necessary \u003ccode\u003euser.canAccessToDatabase()\u003c/code\u003e authorization check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Database Access\u003c/strong\u003e: The server proceeds to resolve and access the target database ('DB B') despite the attacker's lack of explicit authorization for it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePerform Unauthorized Operations\u003c/strong\u003e: The attacker successfully executes read (e.g., via \u003ccode\u003e/api/v1/ts/b/prom/api/v1/query\u003c/code\u003e) or write (e.g., via \u003ccode\u003e/api/v1/batch/b\u003c/code\u003e or \u003ccode\u003e/api/v1/ts/b/write\u003c/code\u003e) operations on the unauthorized 'DB B', receiving a \u0026quot;200 OK\u0026quot; HTTP status code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Manipulation\u003c/strong\u003e: Through these unauthorized operations, the attacker gains full control over 'DB B', allowing for data exfiltration, modification, or deletion, leading to compromise of data confidentiality and integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an authenticated attacker to bypass authorization controls, gaining complete read and write access to any database within the ArcadeDB instance, regardless of their assigned permissions. This leads to a severe compromise of data confidentiality and integrity across all databases. Attackers can exfiltrate sensitive information, alter critical data, or even delete entire database contents. Organizations utilizing ArcadeDB for multi-tenant environments or to segregate data by user/department are particularly at risk, as an attacker with low-privilege access to one database could escalate their privileges to access all others.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch ArcadeDB\u003c/strong\u003e: Immediately upgrade ArcadeDB server instances to version 26.7.2 or later to apply the necessary security fixes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Webserver Logs\u003c/strong\u003e: Deploy the Sigma rule in this brief to your SIEM and monitor webserver logs for HTTP requests targeting the vulnerable \u003ccode\u003e/api/v1/batch/\u003c/code\u003e and \u003ccode\u003e/api/v1/ts/\u003c/code\u003e API endpoints.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Access Logs\u003c/strong\u003e: Periodically review webserver access logs for anomalous requests to the \u003ccode\u003e/api/v1/batch/{db}\u003c/code\u003e and \u003ccode\u003e/api/v1/ts/{db}/*\u003c/code\u003e paths, particularly for requests to database names that the originating user should not have access to.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:21:14Z","date_published":"2026-07-16T20:21:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/","summary":"ArcadeDB server versions prior to 26.7.2 are vulnerable to a cross-database Insecure Direct Object Reference (IDOR) due to improper authorization checks in several HTTP handlers, enabling a user authorized for a specific database to gain full read and write access to other unauthorized databases by directly accessing specific API endpoints.","title":"ArcadeDB Cross-Database IDOR Vulnerability Allows Unauthorized Data Access","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-engine (\u003c 26.7.2)"],"_cs_severities":["high"],"_cs_tags":["ArcadeDB","RCE","vulnerability","java","database","privilege-escalation","SSRF","DoS","javascript","sql-command-injection"],"_cs_type":"advisory","_cs_vendors":["ArcadeDB"],"content_html":"\u003cp\u003eA high-severity vulnerability has been identified in ArcadeDB, affecting versions prior to 26.7.2. The \u003ccode\u003eScriptTriggerExecutor\u003c/code\u003e component, responsible for executing trigger scripts, includes \u003ccode\u003ejava.lang.*\u003c/code\u003e in its allowed packages. This oversight permits an authenticated attacker with \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges (a schema administrator) to craft and deploy a malicious JavaScript trigger. When such a trigger fires, it can invoke \u003ccode\u003ejava.lang.Runtime.exec()\u003c/code\u003e, leading to arbitrary operating system command execution on the host server where ArcadeDB is running. This effectively escalates privileges from a database schema administrator to remote code execution on the underlying operating system, posing a significant risk to the integrity and confidentiality of the host system and the data stored within ArcadeDB.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e administrative privileges within an ArcadeDB instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious database trigger script that includes an OS command execution payload.\u003c/li\u003e\n\u003cli\u003eThe attacker registers this malicious trigger within ArcadeDB using the \u003ccode\u003eCREATE TRIGGER ... EXECUTE JAVASCRIPT\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload within the trigger leverages the permissive \u003ccode\u003ejava.lang.*\u003c/code\u003e allow-list to call \u003ccode\u003eJava.type(\u0026quot;java.lang.Runtime\u0026quot;).getRuntime().exec(...)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted trigger is saved into the database schema, awaiting its activation conditions.\u003c/li\u003e\n\u003cli\u003eA subsequent database operation or event occurs that satisfies the conditions for the newly created malicious trigger to fire.\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB \u003ccode\u003eScriptTriggerExecutor\u003c/code\u003e processes the trigger, and due to \u003ccode\u003ejava.lang.*\u003c/code\u003e being in the allow-list, the \u003ccode\u003ejava.lang.Runtime.exec()\u003c/code\u003e call is permitted.\u003c/li\u003e\n\u003cli\u003eThe attacker's specified operating system commands are executed on the host server with the privileges of the ArcadeDB process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in arbitrary remote code execution on the server hosting ArcadeDB. This allows an attacker to completely compromise the underlying operating system, potentially leading to data exfiltration, deletion, or modification of any data accessible by the ArcadeDB process. While it requires an attacker to first obtain \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges, the RCE then allows for privilege escalation from a schema administrator role to full system control. The compromise can affect any operating system ArcadeDB is deployed on, including Windows, Linux, and macOS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ArcadeDB installations immediately to version 26.7.2 or later to apply the official patch.\u003c/li\u003e\n\u003cli\u003eReview and ensure strict access controls are in place for users assigned \u003ccode\u003eUPDATE_SCHEMA\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eAdministrators should monitor database logs for suspicious \u003ccode\u003eCREATE TRIGGER\u003c/code\u003e statements that include \u003ccode\u003eJAVASCRIPT\u003c/code\u003e execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:22:19Z","date_published":"2026-07-16T20:17:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/","summary":"A vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.","title":"ArcadeDB Trigger Script RCE via Java.lang.* Allow-list","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["arcadedb-engine (\u003c 26.6.1)"],"_cs_severities":["high"],"_cs_tags":["arcadedb","ssrf","file-read","cve","database"],"_cs_type":"advisory","_cs_vendors":["ArcadeData"],"content_html":"\u003cp\u003eA high-severity vulnerability (CVE-2026-54077) in ArcadeDB versions prior to 26.6.1 allows authenticated users to perform Server-Side Request Forgery (SSRF) and arbitrary local file reads. The flaw exists in the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e SQL statement, which did not require administrative privileges and failed to validate the source URL provided to its importer. This allows any authenticated user with SQL command access, not just root or administrators, to force the ArcadeDB server to make HTTP(S) requests to arbitrary internal and external destinations, including cloud metadata endpoints (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e). Attackers can also leverage \u003ccode\u003efile://\u003c/code\u003e paths to read sensitive local files, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e or credential files, which are then ingested as queryable database records. The issue is critical as it enables information disclosure, internal network reconnaissance, and potential lateral movement from a compromised authenticated user account within an ArcadeDB deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with SQL command access connects to the ArcadeDB server's SQL command/query endpoints (\u003ccode\u003e/api/v1/command\u003c/code\u003e, \u003ccode\u003e/api/v1/query\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe user crafts and executes an \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e SQL statement specifying a target URL or file path.\u003c/li\u003e\n\u003cli\u003eTo achieve Server-Side Request Forgery (SSRF), the user provides an HTTP(S) URL pointing to an internal service or a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB server executes the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e statement, making an unvalidated outbound HTTP(S) request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe server ingests the HTTP response content from the internal service or cloud metadata endpoint into a database record, allowing the attacker to query the retrieved information.\u003c/li\u003e\n\u003cli\u003eAlternatively, to achieve arbitrary local file read, the user provides a \u003ccode\u003efile://\u003c/code\u003e path to a sensitive system file (e.g., \u003ccode\u003efile:///etc/passwd\u003c/code\u003e, \u003ccode\u003e/etc/shadow\u003c/code\u003e, or credential files).\u003c/li\u003e\n\u003cli\u003eThe ArcadeDB server executes the \u003ccode\u003eIMPORT DATABASE\u003c/code\u003e statement, attempting to read the local file without proper path validation.\u003c/li\u003e\n\u003cli\u003eThe server ingests the file's content into a database record, enabling the authenticated attacker to retrieve and view the sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54077 allows authenticated users to bypass security controls, gaining unauthorized access to internal network resources and sensitive local files residing on the ArcadeDB server. This can lead to significant information disclosure, including cloud instance metadata, internal service configurations, and system-level credentials. Any organization using vulnerable versions of ArcadeDB is at risk, particularly if untrusted users have SQL query access or if the server is deployed in an environment with access to sensitive internal networks or cloud APIs. The consequences of this data exposure could include unauthorized data exfiltration, lateral movement within the network, or further exploitation of exposed internal services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54077 by upgrading ArcadeDB to version \u003ccode\u003e26.6.1\u003c/code\u003e or later immediately.\u003c/li\u003e\n\u003cli\u003eRestrict SQL command/query access in ArcadeDB to only trusted administrative users, as specified in the workarounds section of the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune them for your environment, especially regarding the specific process identity of your ArcadeDB instance, to detect suspicious network connections and file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:07:35Z","date_published":"2026-07-16T20:07:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/","summary":"Authenticated users can exploit an unvalidated `IMPORT DATABASE` function in ArcadeDB (CVE-2026-54077) to perform Server-Side Request Forgery (CWE-918) against cloud metadata endpoints and internal services, or achieve arbitrary local file read (CWE-22) via `file://` paths, exposing sensitive data.","title":"ArcadeDB IMPORT DATABASE Allows SSRF and Arbitrary Local File Read","url":"https://feed.craftedsignal.io/briefs/2026-07-arcadedb-ssrf-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed - Arcadedb","version":"https://jsonfeed.org/version/1.1"}