GHSA-X8MG-6R4P-87PF: Cross-Database Insecure Direct Object Reference (IDOR) in ArcadeDB Server
Vulnerability ID: GHSA-X8MG-6R4P-87PF
CVSS Score: 7.1
Published: 2026-07-16
An Improper Authorization Bypass (Insecure Direct Object Reference) exists in ArcadeDB server prior to version 26.7.2. Fourteen specific HTTP handlers fail to validate permissions before retrieving and operating on a database instance. This architectural gap allows authenticated users authorized for only one database to read from and write to any other database on the server without restriction.
TL;DR
ArcadeDB fails to enforce permission checks in fourteen critical HTTP handlers, allowing low-privilege authenticated users to bypass database isolation and perform unauthorized read and write operations on any database on the server.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862 (Missing Authorization) / CWE-639 (Insecure Direct Object Reference)
- Attack Vector: Network (AV:N)
- CVSS v4.0 Score: 7.1 (High Severity)
- EPSS Score: 0.00043
- Impact: Confidentiality High (VC:H), Integrity High (VI:H)
- Exploit Status: Proof of Concept (PoC) documented
- KEV Status: Not listed in CISA KEV
Affected Systems
- ArcadeDB Server
-
arcadedb-server: < 26.7.2 (Fixed in:
26.7.2)
Mitigation Strategies
- Upgrade to com.arcadedb:arcadedb-server version 26.7.2 or higher.
- Apply reverse proxy or Web Application Firewall (WAF) rules to restrict access to endpoints
/api/v1/batch/*,/api/v1/ts/*, and/api/v1/grafana/*. - Deploy network segmentation to limit access to ArcadeDB REST port (2480) exclusively to authorized client applications.
Remediation Steps:
- Identify and catalog all active ArcadeDB server instances across deployments.
- Inspect dependency files (e.g., pom.xml, build.gradle) to determine if deployed versions are below 26.7.2.
- Update dependencies to version 26.7.2 or later to apply the official security fixes.
- Deploy the updated builds to environments and verify successful connection filtering.
- For systems where immediate patching is impossible, implement URL-rewriting or gateway access control policies to drop traffic to vulnerable endpoints.
References
Read the full report for GHSA-X8MG-6R4P-87PF on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)