Description
ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4.
Published: 2026-05-12
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ArcadeDB allowed authenticated users and database‑scoped API tokens to read, write, and modify schema on any other database on the same server before version 2.6.4. The vulnerability arises from two code defects: an uninitialized fileAccessMap that was treated as allow‑all and a missing security factory call when creating new databases via the API, which disabled record‑level authorization. As a result, any authenticated principal could bypass both record‑level and database‑level controls, and any newly created database would be unsecured by default.

Affected Systems

The issue affects ArcadeData ArcadeDB releases earlier than 2.6.4. The fix is included in version 2.6.4 and later.

Risk and Exploitability

With a CVSS score of 9, the vulnerability is considered Critical. Attack requires valid authentication but a legitimate credential gives the attacker unrestricted access to all databases on the server, enabling data exfiltration, tampering, or destruction. The EPSS score is not available and the vulnerability is not currently listed in CISA KEV, but the high severity and wide impact warrant immediate remediation. Exploitation is straightforward via the documented API endpoints, and any new database created during the vulnerability period remains unsecured until patched.

Generated by OpenCVE AI on May 12, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ArcadeDB 2.6.4 or newer to apply the security patches that initialize fileAccessMap and enable the security factory when creating databases.
  • Revoke existing API tokens and regenerate them to ensure they are scoped correctly, then re‑verify that record‑level authorization is enabled for all databases.
  • For databases created while the system was vulnerable, re‑configure the security settings manually or recreate the database with the security factory enabled to mitigate accidental data exposure.

Generated by OpenCVE AI on May 12, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fxc7-fm93-6q77 ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases
History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Arcadedata
Arcadedata arcadedb
Vendors & Products Arcadedata
Arcadedata arcadedb

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4.
Title ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Arcadedata Arcadedb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:48:45.728Z

Reserved: 2026-05-05T15:42:40.518Z

Link: CVE-2026-44221

cve-icon Vulnrichment

Updated: 2026-05-13T14:48:42.442Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:43.020

Modified: 2026-05-13T18:21:10.270

Link: CVE-2026-44221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:12Z

Weaknesses