GHSA-VG6X-6PG9-6QWG

Vulnerability from github – Published: 2026-07-16 20:08 – Updated: 2026-07-16 20:08
VLAI
Summary
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)
Details

Impact

The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:

  • DROP PROPERTY <type>.<property>
  • ALTER TYPE <name> SUPERTYPE +<other> / -<other> (change the inheritance hierarchy)
  • ALTER TYPE <name> NAME <newName> (rename a type)
  • type alias and bucket changes
  • ALTER PROPERTY <type>.<property> ... (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — the LocalProperty setters had no check at all

This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.

Affected component

Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.

Patches

Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.

Workarounds

Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.

Resources

Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.

Credit

Reported by Kai Aizen (SnailSploit).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.arcadedb:arcadedb-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:08:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:\n\n- `DROP PROPERTY \u003ctype\u003e.\u003cproperty\u003e`\n- `ALTER TYPE \u003cname\u003e SUPERTYPE +\u003cother\u003e` / `-\u003cother\u003e` (change the inheritance hierarchy)\n- `ALTER TYPE \u003cname\u003e NAME \u003cnewName\u003e` (rename a type)\n- type alias and bucket changes\n- `ALTER PROPERTY \u003ctype\u003e.\u003cproperty\u003e ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) \u2014 the `LocalProperty` setters had no check at all\n\nThis does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.\n\n### Affected component\n\nEngine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.\n\n### Patches\n\nEvery public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.\n\n### Workarounds\n\nGrant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.\n\n### Resources\n\nIncomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.\n\n### Credit\n\nReported by Kai Aizen (SnailSploit).",
  "id": "GHSA-vg6x-6pg9-6qwg",
  "modified": "2026-07-16T20:08:24Z",
  "published": "2026-07-16T20:08:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vg6x-6pg9-6qwg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ArcadeData/arcadedb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…