PT-2026-47575 — Github.Com/Basekick-Labs/Arc

PT-2026-47575 · Go · Github.Com/Basekick-Labs/Arc

Published

2026-06-08

Updated

2026-06-08

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Arc's user-SQL validator (internal/api/query.go:ValidateSQLRequest) blocked only read parquet( and arc partition agg( via regex denylist. The broader DuckDB I/O function family — read csv auto, read csv, read json, read json auto, read text, read blob, glob, parquet metadata, parquet schema, read xlsx, etc. — was not blocked. RBAC table-reference extraction inspected only FROM/JOIN clauses, so scalar table functions in the SELECT list slipped past both layers.

Impact

Any authenticated user, including a token with permissions: [], can read arbitrary local files via:

POST /api/v1/query
Authorization: Bearer <token>
{"sql": "SELECT * FROM read csv auto('/etc/passwd', header=false, columns={'l':'VARCHAR'}) LIMIT 5"}

Confirmed reachable targets:

auth.db — bcrypt hashes for every API token, plus legacy SHA-256 rows.
arc.toml — S3 secrets, TLS keys.
/proc/self/environ — environment-variable secrets.
Cross-tenant Parquet files — bypasses RBAC because the tenant scope is enforced at the table layer, not on raw file paths.
SSRF when httpfs is loaded (any S3-backed deployment) — read csv auto('http://169.254.169.254/latest/meta-data/...') reaches instance metadata IPs.

Patches

Fixed in 2026.06.1 (PR #442) via a structural sandbox at the DuckDB layer:

SET GLOBAL allowed directories = [...] enumerates Arc's legitimate filesystem prefixes (storage roots + tier prefixes + import upload dir + compaction temp).
SET GLOBAL enable external access = false (one-way at runtime).
Verified by reading back the flag.

After lockdown, DuckDB refuses to open any file outside the allowlist and refuses further INSTALL/LOAD. Already-loaded extensions remain callable.

Workarounds

Restrict API access to known-trusted networks via firewall rules.
Temporary mitigation: add read csv*/read json*/glob etc. to dangerousSQLPattern in internal/api/query.go pending 2026.06.1.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.

Fix

SSRF

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-200CWE-22

Related Identifiers

GHSA-P2J4-C4G6-RPF5

Affected Products

Github.Com/Basekick-Labs/Arc