GHSA-VWJC-V7X7-CM6G: Authorization Bypass via SQL-Defined User Functions in ArcadeDB
Vulnerability ID: GHSA-VWJC-V7X7-CM6G
CVSS Score: 8.8
Published: 2026-07-16
A critical authorization bypass vulnerability in ArcadeDB allows authenticated, low-privilege users to define and execute arbitrary JavaScript code via standard SQL statements. By circumventing the security checks introduced in GHSA-48qw-824m-86pr, an attacker can leverage the un-sandboxed GraalVM script engine to perform Server-Side Request Forgery (SSRF) and trigger denial-of-service conditions on the host system.
TL;DR
Low-privilege database users can bypass polyglot scripting security restrictions in ArcadeDB by registering custom JavaScript functions via SQL, leading to un-sandboxed execution, SSRF, and local resource exhaustion.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863 / CWE-269 / CWE-693
- Attack Vector: Network (AV:N)
- CVSS: 8.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- Impact: Server-Side Request Forgery and Local Code Execution via load()
- Exploit Status: Proof-of-Concept (PoC) documented
- KEV Status: Not Listed
Affected Systems
- ArcadeDB Database Engine
-
arcadedb-engine: < 26.7.2 (Fixed in:
26.7.2)
Mitigation Strategies
- Upgrade ArcadeDB to version 26.7.2 or higher to enforce strict user authorization and secure polyglot execution sandboxing.
- Restrict network access to the database's HTTP command endpoints (/api/v1/command) using firewall rules or security groups.
- Disable external outbound network access (egress traffic) from database hosting instances to mitigate Server-Side Request Forgery risks.
Remediation Steps:
- Verify the current running version of ArcadeDB by inspecting dependency files or administration consoles.
- Update Maven build configurations or deployment packages to version 26.7.2 or later.
- Audit existing schema environments for unauthorized user-defined functions using administrative queries.
- Apply network micro-segmentation to isolate database server communication pipelines.
References
- ArcadeDB Advisory GHSA-vwjc-v7x7-cm6g
- ArcadeDB Advisory GHSA-48qw-824m-86pr (Precursor)
- ArcadeDB Release 26.7.1
- ArcadeDB Release 26.7.2
Read the full report for GHSA-VWJC-V7X7-CM6G on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)