PT-2026-60692 · Maven · Com.Arcadedb:Arcadedb-Engine

CVE-2026-54076

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Impact

The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE SCHEMA permission could still mutate the database schema on its own database:
  • DROP PROPERTY <type>.<property>
  • ALTER TYPE <name> SUPERTYPE +<other> / -<other> (change the inheritance hierarchy)
  • ALTER TYPE <name> NAME <newName> (rename a type)
  • type alias and bucket changes
  • ALTER PROPERTY <type>.<property> ... (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — the LocalProperty setters had no check at all
This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE SCHEMA as the gating right for schema mutation.

Affected component

Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.

Patches

Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.

Workarounds

Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.

Resources

Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.

Credit

Reported by Kai Aizen (SnailSploit).

Fix

Incorrect Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54076
GHSA-VG6X-6PG9-6QWG

Affected Products

Com.Arcadedb:Arcadedb-Engine