ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
The National Vulnerability Database has detailed CVE-2026-44221, a critical vulnerability in ArcadeDB Multi-Model DBMS versions prior to 2.6.4. This flaw allows authenticated users or API tokens, even those scoped to a single database, to read, write, and modify schema on any other database hosted on the same server. This isn’t just a misconfiguration; it’s a fundamental breakdown of authorization.
The vulnerability stems from two distinct defects. First, ServerSecurityUser.getDatabaseUser() was returning a database user with an uninitialized fileAccessMap, which requestAccessOnFile incorrectly interpreted as an ‘allow-all’ setting. Second, ArcadeDBServer.createDatabase() failed to properly initialize security settings via factory.setSecurity(...) when creating databases through the API (POST /api/v1/server {"command":"create database X"}). This silently disabled the entire record-level authorization system for newly created databases. Combined, these two issues allow any authenticated principal to completely bypass both record-level and database-level authorization.
This is a severe design flaw, not merely an implementation bug. It means that once an attacker gains any authenticated access to an ArcadeDB instance, they can effectively achieve full control over all databases on that server, regardless of their initial scope. The National Vulnerability Database assigned this a CVSS score of 9 (CRITICAL), highlighting the ease of exploitation (low complexity, low privileges) and the complete compromise of confidentiality, integrity, and availability.
What This Means For You
- If your organization uses ArcadeDB, you must immediately verify your version. Any instance running prior to 2.6.4 is fundamentally exposed to complete data compromise and manipulation by any authenticated user. Prioritize patching to version 2.6.4 or later, and audit all database creation logs for API calls that may have silently disabled security.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
ArcadeDB Database Creation Without Security - CVE-2026-44221
title: ArcadeDB Database Creation Without Security - CVE-2026-44221
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects the creation of a new database in ArcadeDB via the API endpoint '/api/v1/server' using the 'create database' command. This specific API call, when vulnerable (prior to 2.6.4), bypassed record-level authorization by omitting security settings, allowing authenticated users to gain unauthorized access to any database. This rule targets the exploit mechanism described in CVE-2026-44221.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44221/
tags:
- attack.privilege_escalation
- attack.t1200
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
cs-uri-query|contains:
- '/api/v1/server'
cs-uri|contains:
- 'create database'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44221 | Auth Bypass | ArcadeDB versions prior to 2.6.4 |
| CVE-2026-44221 | Privilege Escalation | ArcadeDB ServerSecurityUser.getDatabaseUser() returning a DB user with uninitialized fileAccessMap |
| CVE-2026-44221 | Misconfiguration | ArcadeDBServer.createDatabase() omitting factory.setSecurity(...) for databases created via POST /api/v1/server {"command":"create database X"} |
| CVE-2026-44221 | Information Disclosure | Authenticated users and API tokens could read schema on any other database |
| CVE-2026-44221 | Code Injection | Authenticated users and API tokens could write and mutate schema on any other database |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Wing FTP Server RCE (CVE-2026-44403) Allows Admin Lua Injection
CVE-2026-44403 — Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary...
CVE-2026-44246: nnU-Net Agentic Workflow Injection Puts GitHub Workflows at Risk
CVE-2026-44246 — nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in...
CVE-2026-44240: basic-ftp Client-Side DoS Poses Risk to Node.js Applications
CVE-2026-44240 — basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline...