DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X8MG-6R4P-87PF: GHSA-X8MG-6R4P-87PF: Cross-Database Insecure Direct Object Reference (IDOR) in ArcadeDB Server

GHSA-X8MG-6R4P-87PF: Cross-Database Insecure Direct Object Reference (IDOR) in ArcadeDB Server

Vulnerability ID: GHSA-X8MG-6R4P-87PF
CVSS Score: 7.1
Published: 2026-07-16

An Improper Authorization Bypass (Insecure Direct Object Reference) exists in ArcadeDB server prior to version 26.7.2. Fourteen specific HTTP handlers fail to validate permissions before retrieving and operating on a database instance. This architectural gap allows authenticated users authorized for only one database to read from and write to any other database on the server without restriction.

TL;DR

ArcadeDB fails to enforce permission checks in fourteen critical HTTP handlers, allowing low-privilege authenticated users to bypass database isolation and perform unauthorized read and write operations on any database on the server.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862 (Missing Authorization) / CWE-639 (Insecure Direct Object Reference)
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 7.1 (High Severity)
  • EPSS Score: 0.00043
  • Impact: Confidentiality High (VC:H), Integrity High (VI:H)
  • Exploit Status: Proof of Concept (PoC) documented
  • KEV Status: Not listed in CISA KEV

Affected Systems

  • ArcadeDB Server
  • arcadedb-server: < 26.7.2 (Fixed in: 26.7.2)

Mitigation Strategies

  • Upgrade to com.arcadedb:arcadedb-server version 26.7.2 or higher.
  • Apply reverse proxy or Web Application Firewall (WAF) rules to restrict access to endpoints /api/v1/batch/*, /api/v1/ts/*, and /api/v1/grafana/*.
  • Deploy network segmentation to limit access to ArcadeDB REST port (2480) exclusively to authorized client applications.

Remediation Steps:

  1. Identify and catalog all active ArcadeDB server instances across deployments.
  2. Inspect dependency files (e.g., pom.xml, build.gradle) to determine if deployed versions are below 26.7.2.
  3. Update dependencies to version 26.7.2 or later to apply the official security fixes.
  4. Deploy the updated builds to environments and verify successful connection filtering.
  5. For systems where immediate patching is impossible, implement URL-rewriting or gateway access control policies to drop traffic to vulnerable endpoints.

References


Read the full report for GHSA-X8MG-6R4P-87PF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)