DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VWJC-V7X7-CM6G: GHSA-VWJC-V7X7-CM6G: Authorization Bypass via SQL-Defined User Functions in ArcadeDB

GHSA-VWJC-V7X7-CM6G: Authorization Bypass via SQL-Defined User Functions in ArcadeDB

Vulnerability ID: GHSA-VWJC-V7X7-CM6G
CVSS Score: 8.8
Published: 2026-07-16

A critical authorization bypass vulnerability in ArcadeDB allows authenticated, low-privilege users to define and execute arbitrary JavaScript code via standard SQL statements. By circumventing the security checks introduced in GHSA-48qw-824m-86pr, an attacker can leverage the un-sandboxed GraalVM script engine to perform Server-Side Request Forgery (SSRF) and trigger denial-of-service conditions on the host system.

TL;DR

Low-privilege database users can bypass polyglot scripting security restrictions in ArcadeDB by registering custom JavaScript functions via SQL, leading to un-sandboxed execution, SSRF, and local resource exhaustion.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863 / CWE-269 / CWE-693
  • Attack Vector: Network (AV:N)
  • CVSS: 8.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • Impact: Server-Side Request Forgery and Local Code Execution via load()
  • Exploit Status: Proof-of-Concept (PoC) documented
  • KEV Status: Not Listed

Affected Systems

  • ArcadeDB Database Engine
  • arcadedb-engine: < 26.7.2 (Fixed in: 26.7.2)

Mitigation Strategies

  • Upgrade ArcadeDB to version 26.7.2 or higher to enforce strict user authorization and secure polyglot execution sandboxing.
  • Restrict network access to the database's HTTP command endpoints (/api/v1/command) using firewall rules or security groups.
  • Disable external outbound network access (egress traffic) from database hosting instances to mitigate Server-Side Request Forgery risks.

Remediation Steps:

  1. Verify the current running version of ArcadeDB by inspecting dependency files or administration consoles.
  2. Update Maven build configurations or deployment packages to version 26.7.2 or later.
  3. Audit existing schema environments for unauthorized user-defined functions using administrative queries.
  4. Apply network micro-segmentation to isolate database server communication pipelines.

References


Read the full report for GHSA-VWJC-V7X7-CM6G on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)