logo

Database

Authentication mechanism absence or evasion In com.arcadedb:arcadedb-server

Description

ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases

Impact

Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.

Patches

Upgrade to version 26.4.2

Resources

https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-442212. NVD-2026-442213. OSV-2026-442214. GHSA-fxc7-fm93-6q775. GCVE-2026-44221

References

1. https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q772. https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.