{"vulnerability": "ghsa-x8mg-6r4p-87pf", "sightings": [{"uuid": "6aba0b4e-065e-4649-a32c-90a7f62cb1af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-x8mg-6r4p-87pf", "type": "seen", "source": "https://gist.github.com/alon710/52a35a35f7ac3d2e03985e364db77b59", "content": "# GHSA-X8MG-6R4P-87PF: GHSA-X8MG-6R4P-87PF: Cross-Database Insecure Direct Object Reference (IDOR) in ArcadeDB Server\n\n&gt; **CVSS Score:** 7.1\n&gt; **Published:** 2026-07-16\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-X8MG-6R4P-87PF\n\n## Summary\nAn Improper Authorization Bypass (Insecure Direct Object Reference) exists in ArcadeDB server prior to version 26.7.2. Fourteen specific HTTP handlers fail to validate permissions before retrieving and operating on a database instance. This architectural gap allows authenticated users authorized for only one database to read from and write to any other database on the server without restriction.\n\n## TL;DR\nArcadeDB fails to enforce permission checks in fourteen critical HTTP handlers, allowing low-privilege authenticated users to bypass database isolation and perform unauthorized read and write operations on any database on the server.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862 (Missing Authorization) / CWE-639 (Insecure Direct Object Reference)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0 Score**: 7.1 (High Severity)\n- **EPSS Score**: 0.00043\n- **Impact**: Confidentiality High (VC:H), Integrity High (VI:H)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- ArcadeDB Server\n- **arcadedb-server**: &lt; 26.7.2 (Fixed in: `26.7.2`)\n\n## Mitigation\n\n- Upgrade to com.arcadedb:arcadedb-server version 26.7.2 or higher.\n- Apply reverse proxy or Web Application Firewall (WAF) rules to restrict access to endpoints `/api/v1/batch/*`, `/api/v1/ts/*`, and `/api/v1/grafana/*`.\n- Deploy network segmentation to limit access to ArcadeDB REST port (2480) exclusively to authorized client applications.\n\n**Remediation Steps:**\n1. Identify and catalog all active ArcadeDB server instances across deployments.\n2. Inspect dependency files (e.g., pom.xml, build.gradle) to determine if deployed versions are below 26.7.2.\n3. Update dependencies to version 26.7.2 or later to apply the official security fixes.\n4. Deploy the updated builds to environments and verify successful connection filtering.\n5. For systems where immediate patching is impossible, implement URL-rewriting or gateway access control policies to drop traffic to vulnerable endpoints.\n\n## References\n\n- [Official GitHub Security Advisory](https://github.com/advisories/GHSA-x8mg-6r4p-87pf)\n- [ArcadeDB Repository](https://github.com/ArcadeData/arcadedb)\n- [ArcadeDB v26.7.2 Patch Release Notes](https://github.com/ArcadeData/arcadedb/releases/tag/26.7.2)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-X8MG-6R4P-87PF) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-16T23:48:09.649455Z"}, {"uuid": "c639987c-8f7e-4b14-8d2e-528e62575716", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-x8mg-6r4p-87pf", "type": "seen", "source": "https://gist.github.com/alon710/52a35a35f7ac3d2e03985e364db77b59", "content": "# GHSA-X8MG-6R4P-87PF: GHSA-X8MG-6R4P-87PF: Cross-Database Insecure Direct Object Reference (IDOR) in ArcadeDB Server\n\n&gt; **CVSS Score:** 7.1\n&gt; **Published:** 2026-07-16\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-X8MG-6R4P-87PF\n\n## Summary\nAn Improper Authorization Bypass (Insecure Direct Object Reference) exists in ArcadeDB server prior to version 26.7.2. Fourteen specific HTTP handlers fail to validate permissions before retrieving and operating on a database instance. This architectural gap allows authenticated users authorized for only one database to read from and write to any other database on the server without restriction.\n\n## TL;DR\nArcadeDB fails to enforce permission checks in fourteen critical HTTP handlers, allowing low-privilege authenticated users to bypass database isolation and perform unauthorized read and write operations on any database on the server.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862 (Missing Authorization) / CWE-639 (Insecure Direct Object Reference)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0 Score**: 7.1 (High Severity)\n- **EPSS Score**: 0.00043\n- **Impact**: Confidentiality High (VC:H), Integrity High (VI:H)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- ArcadeDB Server\n- **arcadedb-server**: &lt; 26.7.2 (Fixed in: `26.7.2`)\n\n## Mitigation\n\n- Upgrade to com.arcadedb:arcadedb-server version 26.7.2 or higher.\n- Apply reverse proxy or Web Application Firewall (WAF) rules to restrict access to endpoints `/api/v1/batch/*`, `/api/v1/ts/*`, and `/api/v1/grafana/*`.\n- Deploy network segmentation to limit access to ArcadeDB REST port (2480) exclusively to authorized client applications.\n\n**Remediation Steps:**\n1. Identify and catalog all active ArcadeDB server instances across deployments.\n2. Inspect dependency files (e.g., pom.xml, build.gradle) to determine if deployed versions are below 26.7.2.\n3. Update dependencies to version 26.7.2 or later to apply the official security fixes.\n4. Deploy the updated builds to environments and verify successful connection filtering.\n5. For systems where immediate patching is impossible, implement URL-rewriting or gateway access control policies to drop traffic to vulnerable endpoints.\n\n## References\n\n- [Official GitHub Security Advisory](https://github.com/advisories/GHSA-x8mg-6r4p-87pf)\n- [ArcadeDB Repository](https://github.com/ArcadeData/arcadedb)\n- [ArcadeDB v26.7.2 Patch Release Notes](https://github.com/ArcadeData/arcadedb/releases/tag/26.7.2)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-X8MG-6R4P-87PF) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-17T00:00:25.303309Z"}]}