External risk intelligence

ArcadeDB could allow internal attacker to access and modify data in unauthorized databases.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-44221

An internal attacker with limited ArcadeDB credentials can bypass security controls to read, change, or delete data in any database on the server. This flaw allows unauthorized access to sensitive company information and could result in the loss of administrative control over the entire database system.

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-44221

ArcadeDB is a database management system, a backend component typically deployed in segmented, internal networks. Standard deployment patterns place databases behind application tiers or firewalls, not directly on the public internet. While network-reachable within internal environments, it is not a service typically intended for direct public-facing exposure.

Horizon Alert

Summary of the vulnerability and why it matters

An issue in ArcadeDB allows authenticated users to bypass security controls and access or modify any database on the server, regardless of their assigned permissions. This could lead to unauthorized data exposure or manipulation.

Affects multiple databases on a server.
Compromise requires existing access.
Can lead to data exposure or modification.

Attack Path

How an attacker could exploit the issue

An attacker with existing database access or API token credentials can leverage this vulnerability to bypass authorization controls. This allows them to read, write, and alter schema across any database on the server, regardless of their initial permissions. Exploitation can occur through specially crafted API requests.

Authenticated access required.
Targets database and record authorization.
Creating new databases disables security.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability in ArcadeDB allows authenticated users to bypass record-level and database-level authorization, potentially leading to complete data compromise. While the vulnerability exists, the specific nature of ArcadeDB as a backend database system suggests exploitation is more likely within internal environments rather than widespread public attacks.

Exploitation requires existing authentication.
No public exploits are currently known.
No KEV listing is observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize patching ArcadeDB to version 2.6.4 or later to address the critical authorization bypass vulnerability. If immediate patching is not feasible, implement strict network segmentation and access controls to isolate affected databases and prevent unauthorized access. Continuous monitoring for anomalous database activity and schema changes is crucial.

Upgrade ArcadeDB to 2.6.4.
Isolate affected databases.
Monitor for suspicious schema changes.

Frequently asked questions

What is ArcadeDB and what is it used for?

ArcadeDB is a multi-model database management system. It is used to store and manage various types of data, supporting different data models within a single database. It acts as a backend component for applications that require robust data storage and retrieval capabilities.

How does CVE-2026-44221 bypass security in ArcadeDB?

CVE-2026-44221 is a critical authorization bypass vulnerability. It stems from two defects where security checks related to user permissions and database creation are mishandled. This allows authenticated users with access to one database to affect schema and data in any other database on the same server.

What conditions are needed for an attacker to exploit this CVE?

An attacker must already have authenticated access to the ArcadeDB server, either as a user or via an API token. The vulnerability can be triggered through API requests, and crucially, creating new databases via a specific API command also silently disables their security, making them vulnerable.

Who should be concerned about this vulnerability based on its reach?

Organizations using ArcadeDB should be concerned, particularly if it's deployed in an internal network. While the vulnerability is classified as external due to network exploitability, ArcadeDB is typically a backend system not directly exposed to the internet. The primary risk is to internal environments where an authenticated attacker could move laterally between databases.

What is the first step to respond to this threat advisory?

The immediate first step is to upgrade ArcadeDB to version 2.6.4 or a later release, as this version contains the fix for the vulnerability. If upgrading is not immediately possible, implementing strict network segmentation and access controls to isolate databases is a critical interim measure.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.