GHSA-VWJC-V7X7-CM6G
Vulnerability from github – Published: 2026-07-16 20:17 – Updated: 2026-07-16 20:17The GHSA-48qw-824m-86pr hardening added a checkPermissionsOnDatabase(UPDATE_SECURITY) gate on the polyglot engine (PolyglotQueryEngine.java:112-114,126,176,199), but only there. The SQL route to JavaScript never touches it: DefineFunctionStatement.executeSimple (DefineFunctionStatement.java:37-100), LocalSchema.registerFunctionLibrary, and SQLQueryEngine library-function invocation (SQLQueryEngine.java:198-224) do no scripting-permission check.
Exploit: any user authorized for the DB (including a read-only role) runs POST /api/v1/command/ {"language":"sql","command":"DEFINE FUNCTION x.run \"\" LANGUAGE js"} then SELECT x.run(), executing arbitrary JavaScript and defeating the control meant to restrict scripting to security admins. On this path allowedPackages is empty so Java.type host lookup and reflection are blocked, but IOAccess.ALL still permits load(url) SSRF/remote-JS inclusion and unbounded CPU/memory DoS.
Fix: gate DefineFunctionStatement.executeSimple, the SQLQueryEngine library-function wrapper (to also cover pre-existing libraries), and DeleteFunctionStatement with UPDATE_SECURITY for js/polyglot languages. Centralize as one assertCanExecuteUserCode(database) invoked by every code-execution surface. Also set IOAccess.NONE / PolyglotAccess.NONE on the Context (GraalPolyglotEngine.java:86,91).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.arcadedb:arcadedb-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:17:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The GHSA-48qw-824m-86pr hardening added a checkPermissionsOnDatabase(UPDATE_SECURITY) gate on the polyglot engine (PolyglotQueryEngine.java:112-114,126,176,199), but only there. The SQL route to JavaScript never touches it: DefineFunctionStatement.executeSimple (DefineFunctionStatement.java:37-100), LocalSchema.registerFunctionLibrary, and SQLQueryEngine library-function invocation (SQLQueryEngine.java:198-224) do no scripting-permission check.\n\nExploit: any user authorized for the DB (including a read-only role) runs POST /api/v1/command/\u003cdb\u003e {\"language\":\"sql\",\"command\":\"DEFINE FUNCTION x.run \\\"\u003cjs\u003e\\\" LANGUAGE js\"} then SELECT x.run(), executing arbitrary JavaScript and defeating the control meant to restrict scripting to security admins. On this path allowedPackages is empty so Java.type host lookup and reflection are blocked, but IOAccess.ALL still permits load(url) SSRF/remote-JS inclusion and unbounded CPU/memory DoS.\n\nFix: gate DefineFunctionStatement.executeSimple, the SQLQueryEngine library-function wrapper (to also cover pre-existing libraries), and DeleteFunctionStatement with UPDATE_SECURITY for js/polyglot languages. Centralize as one assertCanExecuteUserCode(database) invoked by every code-execution surface. Also set IOAccess.NONE / PolyglotAccess.NONE on the Context (GraalPolyglotEngine.java:86,91).",
"id": "GHSA-vwjc-v7x7-cm6g",
"modified": "2026-07-16T20:17:42Z",
"published": "2026-07-16T20:17:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vwjc-v7x7-cm6g"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeData/arcadedb"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ArcadeDB: Scripting authorization gate (GHSA-48qw) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.