CVE-2026-44221

Name of the Vulnerable Software and Affected Versions ArcadeDB versions prior to 26.4.2

Description Authenticated users and API tokens scoped to a specific database can read, write, and mutate schema on any other database on the same server. This occurs due to two defects: first, the getDatabaseUser() function in ServerSecurityUser returns a database user with an uninitialized fileAccessMap, which requestAccessOnFile interprets as allowing all access. Second, the createDatabase() function in ArcadeDBServer fails to call factory.setSecurity(...), meaning any database created via the "/api/v1/server" endpoint using the command parameter set to "create database X" has its record-level authorization system disabled. Together, these issues allow any authenticated principal to bypass record-level and database-level authorization.

Recommendations Upgrade to version 26.4.2.