CVE Catalog

CVE-2026-44221

Critical
Published: Translated: NVD NIST

Summary

ArcadeDB prior to version 2.6.4 allowed authenticated users and API tokens to read, write, and mutate schema on any other database on the same server, which poses a serious security breach.

Risk Assessment

Organizations may be exposed to unauthorized access to data across different databases, potentially leading to loss of confidentiality and data integrity.

Recommendation

It is recommended to upgrade to version 2.6.4 or later to secure the system against these vulnerabilities.

Original NVD description (English source)

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS