Vulnerability Database

359,603

Total vulnerabilities in the database

ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read — com.arcadedb / arcadedb-server

Improper Privilege Management

Impact

A user holding only reader (read-only) privileges on a single database could execute arbitrary JVM code by sending a "language": "js" command to the POST /api/v1/command/{database} HTTP endpoint, and use it to read arbitrary files on the host filesystem (e.g. /etc/passwd, configuration files), outside the scope of the database itself.

Two cooperating defects made this possible:

  1. Missing authorization on the scripting path (CWE-863 / CWE-269). Polyglot script execution (js and other GraalVM languages) never went through the database authorization checks applied to SQL/Cypher, so any authenticated principal - regardless of database role - could run scripts.
  2. Sandbox whitelist bypass. The GraalVM sandbox restricts direct class lookups to a configured allowedPackages list, but a script could reach arbitrary classes by reflecting off the bound database object: database.getClass().getClassLoader().loadClass("java.io.File").

Process creation was already blocked (allowCreateProcess(false)), so the confirmed impact is host file read, not OS command execution. Confidentiality: High. Integrity/Availability: None.

This is a distinct entry point and root cause from CVE-2026-44221, CVE-2026-54076 and CVE-2026-54077, and is reproducible on builds that already contain those fixes.

Patches

The fix is applied in the engine so it covers every entry point (HTTP command, HA-forwarded commands, MCP analyze), not only the HTTP handler:

  • Polyglot script execution now requires the updateSecurity database-administrator permission on command, analyze and registerFunctions. The check runs on the request thread that carries the authenticated user and is a no-op in embedded mode and internal/system contexts (schema load, HA replication apply).
  • The GraalVM host-access policy now denies access to java.lang.Class, java.lang.ClassLoader and java.lang.reflect members, closing the reflection escape that bypassed allowedPackages - even for authorized administrators - while leaving normal method calls on bound objects and explicit Java.type(...) lookups (governed by allowedPackages) working.

Workarounds

Until upgraded, do not grant command/query access on the HTTP API to untrusted users, and treat any account that can reach /api/v1/command as capable of code execution. Note that after the fix, non-administrator accounts can no longer run js/polyglot scripts over HTTP.

Credit

Reported by @kyojune76.

  • Published: Jul 16, 2026
  • Updated: Jul 17, 2026
  • GHSA: GHSA-48qw-824m-86pr
  • Severity: High
  • Exploit:
  • CISA KEV:

CVSS v3:

  • Severity: High
  • Score: 7.7
  • AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.