<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ArcadeDB - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/arcadedb/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:21:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/arcadedb/feed.xml" rel="self" type="application/rss+xml"/><item><title>ArcadeDB Cross-Database IDOR Vulnerability Allows Unauthorized Data Access</title><link>https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/</link><pubDate>Thu, 16 Jul 2026 20:21:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-arcadedb-idor/</guid><description>ArcadeDB server versions prior to 26.7.2 are vulnerable to a cross-database Insecure Direct Object Reference (IDOR) due to improper authorization checks in several HTTP handlers, enabling a user authorized for a specific database to gain full read and write access to other unauthorized databases by directly accessing specific API endpoints.</description><content:encoded><![CDATA[<p>ArcadeDB, an open-source NoSQL graph database, contains a critical Insecure Direct Object Reference (IDOR) vulnerability (GHSA-x8mg-6r4p-87pf) affecting server versions prior to 26.7.2. This flaw allows a user with valid credentials, who is authorized to access only one database, to bypass authorization checks and gain full read and write access to other, unauthorized databases within the same ArcadeDB instance. The vulnerability stems from 14 specific HTTP handlers (including those for batch operations, time-series data, Prometheus, and Grafana integrations) which directly extend <code>AbstractServerHttpHandler</code> instead of the secure <code>DatabaseAbstractHandler</code>, failing to invoke the crucial <code>user.canAccessToDatabase()</code> function. Exploitation of this vulnerability grants attackers unauthorized control over sensitive data across different databases, posing a significant risk of data exfiltration, manipulation, or integrity compromise. This issue directly impacts organizations using ArcadeDB for multi-tenant or segmented data storage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Authentication</strong>: An attacker obtains valid user credentials for an ArcadeDB instance, successfully authenticating and gaining authorized access to at least one specific database (e.g., 'DB A').</li>
<li><strong>Identify Vulnerable Endpoints</strong>: The attacker identifies specific ArcadeDB HTTP API endpoints, such as <code>/api/v1/batch/{db}</code>, <code>/api/v1/ts/{db}/write</code>, or <code>/api/v1/ts/{db}/prom/api/v1/query</code>, which are known to be affected by the IDOR vulnerability.</li>
<li><strong>Craft Malicious HTTP Request</strong>: The attacker crafts an HTTP request (GET or POST) targeting one of the identified vulnerable endpoints. Crucially, the attacker substitutes the database identifier in the URL path parameter (e.g., <code>{db}</code>) from their authorized database ('DB A') to an unauthorized target database ('DB B').</li>
<li><strong>Authorization Bypass</strong>: Upon receiving the request, the ArcadeDB server's vulnerable HTTP handler (e.g., PostBatchHandler or PostTimeSeriesWriteHandler) processes the <code>{database}</code> path parameter without invoking the necessary <code>user.canAccessToDatabase()</code> authorization check.</li>
<li><strong>Unauthorized Database Access</strong>: The server proceeds to resolve and access the target database ('DB B') despite the attacker's lack of explicit authorization for it.</li>
<li><strong>Perform Unauthorized Operations</strong>: The attacker successfully executes read (e.g., via <code>/api/v1/ts/b/prom/api/v1/query</code>) or write (e.g., via <code>/api/v1/batch/b</code> or <code>/api/v1/ts/b/write</code>) operations on the unauthorized 'DB B', receiving a &quot;200 OK&quot; HTTP status code.</li>
<li><strong>Data Exfiltration or Manipulation</strong>: Through these unauthorized operations, the attacker gains full control over 'DB B', allowing for data exfiltration, modification, or deletion, leading to compromise of data confidentiality and integrity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this IDOR vulnerability allows an authenticated attacker to bypass authorization controls, gaining complete read and write access to any database within the ArcadeDB instance, regardless of their assigned permissions. This leads to a severe compromise of data confidentiality and integrity across all databases. Attackers can exfiltrate sensitive information, alter critical data, or even delete entire database contents. Organizations utilizing ArcadeDB for multi-tenant environments or to segregate data by user/department are particularly at risk, as an attacker with low-privilege access to one database could escalate their privileges to access all others.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch ArcadeDB</strong>: Immediately upgrade ArcadeDB server instances to version 26.7.2 or later to apply the necessary security fixes.</li>
<li><strong>Monitor Webserver Logs</strong>: Deploy the Sigma rule in this brief to your SIEM and monitor webserver logs for HTTP requests targeting the vulnerable <code>/api/v1/batch/</code> and <code>/api/v1/ts/</code> API endpoints.</li>
<li><strong>Review Access Logs</strong>: Periodically review webserver access logs for anomalous requests to the <code>/api/v1/batch/{db}</code> and <code>/api/v1/ts/{db}/*</code> paths, particularly for requests to database names that the originating user should not have access to.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>idor</category><category>authorization-bypass</category><category>arcadedb</category><category>web-application</category></item><item><title>ArcadeDB Trigger Script RCE via Java.lang.* Allow-list</title><link>https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/</link><pubDate>Thu, 16 Jul 2026 20:17:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-arcadedb-rce/</guid><description>A vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.</description><content:encoded><![CDATA[<p>A high-severity vulnerability has been identified in ArcadeDB, affecting versions prior to 26.7.2. The <code>ScriptTriggerExecutor</code> component, responsible for executing trigger scripts, includes <code>java.lang.*</code> in its allowed packages. This oversight permits an authenticated attacker with <code>UPDATE_SCHEMA</code> privileges (a schema administrator) to craft and deploy a malicious JavaScript trigger. When such a trigger fires, it can invoke <code>java.lang.Runtime.exec()</code>, leading to arbitrary operating system command execution on the host server where ArcadeDB is running. This effectively escalates privileges from a database schema administrator to remote code execution on the underlying operating system, posing a significant risk to the integrity and confidentiality of the host system and the data stored within ArcadeDB.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains <code>UPDATE_SCHEMA</code> administrative privileges within an ArcadeDB instance.</li>
<li>The attacker crafts a malicious database trigger script that includes an OS command execution payload.</li>
<li>The attacker registers this malicious trigger within ArcadeDB using the <code>CREATE TRIGGER ... EXECUTE JAVASCRIPT</code> command.</li>
<li>The JavaScript payload within the trigger leverages the permissive <code>java.lang.*</code> allow-list to call <code>Java.type(&quot;java.lang.Runtime&quot;).getRuntime().exec(...)</code>.</li>
<li>The crafted trigger is saved into the database schema, awaiting its activation conditions.</li>
<li>A subsequent database operation or event occurs that satisfies the conditions for the newly created malicious trigger to fire.</li>
<li>The ArcadeDB <code>ScriptTriggerExecutor</code> processes the trigger, and due to <code>java.lang.*</code> being in the allow-list, the <code>java.lang.Runtime.exec()</code> call is permitted.</li>
<li>The attacker's specified operating system commands are executed on the host server with the privileges of the ArcadeDB process, achieving remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in arbitrary remote code execution on the server hosting ArcadeDB. This allows an attacker to completely compromise the underlying operating system, potentially leading to data exfiltration, deletion, or modification of any data accessible by the ArcadeDB process. While it requires an attacker to first obtain <code>UPDATE_SCHEMA</code> privileges, the RCE then allows for privilege escalation from a schema administrator role to full system control. The compromise can affect any operating system ArcadeDB is deployed on, including Windows, Linux, and macOS.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ArcadeDB installations immediately to version 26.7.2 or later to apply the official patch.</li>
<li>Review and ensure strict access controls are in place for users assigned <code>UPDATE_SCHEMA</code> privileges.</li>
<li>Administrators should monitor database logs for suspicious <code>CREATE TRIGGER</code> statements that include <code>JAVASCRIPT</code> execution.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ArcadeDB</category><category>RCE</category><category>vulnerability</category><category>java</category><category>database</category><category>privilege-escalation</category><category>SSRF</category><category>DoS</category><category>javascript</category><category>sql-command-injection</category></item><item><title>ArcadeDB Authorization Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/</link><pubDate>Tue, 05 May 2026 22:22:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-arcadedb-auth-bypass/</guid><description>ArcadeDB versions prior to 26.4.2 are vulnerable to an authorization bypass, allowing authenticated users and API tokens scoped to a specific database to read, write, and mutate schema on any other database on the same server, and disabling the record-level authorization system for newly created databases.</description><content:encoded><![CDATA[<p>ArcadeDB, a multi-model database, is susceptible to an authorization bypass vulnerability affecting versions prior to 26.4.2. This vulnerability stems from two distinct defects: first, the <code>ServerSecurityUser.getDatabaseUser()</code> method returns a database user with an uninitialized file access map, which is then incorrectly interpreted as allowing all access. Second, the <code>ArcadeDBServer.createDatabase()</code> method omits the <code>factory.setSecurity(...)</code> call, effectively disabling the record-level authorization system for any database created via the API endpoint <code>POST /api/v1/server {&quot;command&quot;:&quot;create database X&quot;}</code>.  This combination of flaws allows authenticated principals to bypass both record-level and database-level authorization constraints.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the ArcadeDB server with valid credentials for a specific database.</li>
<li>The attacker leverages the <code>ServerSecurityUser.getDatabaseUser()</code> flaw to gain unauthorized access to other databases.</li>
<li>The attacker exploits the uninitialized <code>fileAccessMap</code> vulnerability, allowing them to bypass file access checks.</li>
<li>The attacker crafts a request to read data from a database they should not have access to, such as <code>GET /api/v1/database/OtherDatabase/query/sql/SELECT%20*%20FROM%20SomeTable</code>.</li>
<li>The server incorrectly authorizes the request due to the flawed access control mechanisms.</li>
<li>The attacker then attempts to modify the schema of another database using API calls that would normally be restricted based on database-level permissions. For example, <code>POST /api/v1/database/OtherDatabase {&quot;command&quot;:&quot;alter database X&quot;}</code>.</li>
<li>If an attacker creates a new database using <code>POST /api/v1/server {&quot;command&quot;:&quot;create database X&quot;}</code>, the record-level authorization system is disabled due to the missing <code>factory.setSecurity(...)</code> call.</li>
<li>The attacker then exploits the newly created database, which has no security checks, gaining complete control over its data and schema.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized access to sensitive data stored in other databases within the same ArcadeDB server. An attacker can read, write, and modify data across multiple databases, leading to potential data breaches, data corruption, and complete system compromise. Organizations using affected versions of ArcadeDB are at risk of significant data loss and reputational damage.  The vulnerability affects all deployments using versions prior to 26.4.2.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ArcadeDB server to version 26.4.2 to patch CVE-2026-44221 and resolve the authorization bypass vulnerability.</li>
<li>Monitor web server logs for unusual API requests targeting multiple databases from a single authenticated user to detect potential exploitation attempts, and deploy the provided Sigma rule <code>Detect ArcadeDB Database Access from Different IPs</code> to detect this activity.</li>
<li>Implement rate limiting on API endpoints to mitigate potential brute-force attacks aimed at exploiting this vulnerability and use <code>Detect ArcadeDB Unsecured Database Creation</code> Sigma rule to detect unauthorized database creation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>authorization bypass</category><category>privilege escalation</category><category>cve-2026-44221</category></item></channel></rss>