{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/arcadedata/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["arcadedb-server","ArcadeDB"],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","privilege escalation","cve-2026-44221"],"_cs_type":"advisory","_cs_vendors":["ArcadeData"],"content_html":"\u003cp\u003eArcadeDB, a multi-model database, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.4.2. This vulnerability stems from two distinct defects: first, the \u003ccode\u003eServerSecurityUser.getDatabaseUser()\u003c/code\u003e method returns a database user with an uninitialized file access map, which is then incorrectly interpreted as allowing all access. Second, the \u003ccode\u003eArcadeDBServer.createDatabase()\u003c/code\u003e method omits the \u003ccode\u003efactory.setSecurity(...)\u003c/code\u003e call, effectively disabling the record-level authorization system for any database created via the API endpoint \u003ccode\u003ePOST /api/v1/server {\u0026quot;command\u0026quot;:\u0026quot;create database X\u0026quot;}\u003c/code\u003e.  This combination of flaws allows authenticated principals to bypass both record-level and database-level authorization constraints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ArcadeDB server with valid credentials for a specific database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003eServerSecurityUser.getDatabaseUser()\u003c/code\u003e flaw to gain unauthorized access to other databases.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the uninitialized \u003ccode\u003efileAccessMap\u003c/code\u003e vulnerability, allowing them to bypass file access checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to read data from a database they should not have access to, such as \u003ccode\u003eGET /api/v1/database/OtherDatabase/query/sql/SELECT%20*%20FROM%20SomeTable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly authorizes the request due to the flawed access control mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to modify the schema of another database using API calls that would normally be restricted based on database-level permissions. For example, \u003ccode\u003ePOST /api/v1/database/OtherDatabase {\u0026quot;command\u0026quot;:\u0026quot;alter database X\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf an attacker creates a new database using \u003ccode\u003ePOST /api/v1/server {\u0026quot;command\u0026quot;:\u0026quot;create database X\u0026quot;}\u003c/code\u003e, the record-level authorization system is disabled due to the missing \u003ccode\u003efactory.setSecurity(...)\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe attacker then exploits the newly created database, which has no security checks, gaining complete control over its data and schema.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to sensitive data stored in other databases within the same ArcadeDB server. An attacker can read, write, and modify data across multiple databases, leading to potential data breaches, data corruption, and complete system compromise. Organizations using affected versions of ArcadeDB are at risk of significant data loss and reputational damage.  The vulnerability affects all deployments using versions prior to 26.4.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ArcadeDB server to version 26.4.2 to patch CVE-2026-44221 and resolve the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting multiple databases from a single authenticated user to detect potential exploitation attempts, and deploy the provided Sigma rule \u003ccode\u003eDetect ArcadeDB Database Access from Different IPs\u003c/code\u003e to detect this activity.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate potential brute-force attacks aimed at exploiting this vulnerability and use \u003ccode\u003eDetect ArcadeDB Unsecured Database Creation\u003c/code\u003e Sigma rule to detect unauthorized database creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T22:22:22Z","date_published":"2026-05-05T22:22:22Z","id":"/briefs/2026-05-arcadedb-auth-bypass/","summary":"ArcadeDB versions prior to 26.4.2 are vulnerable to an authorization bypass, allowing authenticated users and API tokens scoped to a specific database to read, write, and mutate schema on any other database on the same server, and disabling the record-level authorization system for newly created databases.","title":"ArcadeDB Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — ArcadeData","version":"https://jsonfeed.org/version/1.1"}