CVE-2026-44221— ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ArcadeData | arcadedb | < 2.6.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44221
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases
Source: NVD (National Vulnerability Database)
Vulnerability Description
ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
arcadedb 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
arcadedb是Arcade Data开源的一个高性能多模型数据库管理系统。 ArcadeDB 2.6.4之前版本存在安全漏洞,该漏洞源于两个缺陷,ServerSecurityUser.getDatabaseUser()返回未初始化fileAccessMap的数据库用户,以及ArcadeDBServer.createDatabase()省略setSecurity调用,可能导致任何经过身份验证的主体绕过记录级和数据库级授权。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| ArcadeData | arcadedb | < 2.6.4 | - |
II. Public POCs for CVE-2026-44221
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8244 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-44221
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-863
- CVE-2026-45316
Open WebUI: Read-Only Users Can Toggle Note Pin Status via I - CVE-2026-44567
Open WebUI: Open WebUI Improper Authorization Control - CVE-2026-45672
Open WebUI: Jupyter code execution works despite `ENABLE_COD - CVE-2026-44557
Open WebUI: Global Knowledge Base Enumeration via knowledge- - CVE-2026-44561
Open WebUI: Deactivated Channel Members Retain Full Access t
V. Comments for CVE-2026-44221
No comments yet