{"uuid":"GSA_kwCzR0hTQS1meGM3LWZtOTMtNnE3N84ABWOA","url":"https://github.com/advisories/GHSA-fxc7-fm93-6q77","title":"ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases","description":"### Impact\nAuthenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.\n\n### Patches\nUpgrade to version 26.4.2\n\n### Resources\n\nhttps://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-05-05T22:22:22.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","references":["https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77","https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8","https://nvd.nist.gov/vuln/detail/CVE-2026-44221","https://github.com/advisories/GHSA-fxc7-fm93-6q77"],"source_kind":"github","identifiers":["GHSA-fxc7-fm93-6q77","CVE-2026-44221"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-05T23:00:08.441Z","updated_at":"2026-05-14T12:00:29.391Z","epss_percentage":0.00036,"epss_percentile":0.10691,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1meGM3LWZtOTMtNnE3N84ABWOA","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1meGM3LWZtOTMtNnE3N84ABWOA","packages":[{"ecosystem":"maven","package_name":"com.arcadedb:arcadedb-server","versions":[{"first_patched_version":"26.4.2","vulnerable_version_range":"\u003c 26.4.2"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1meGM3LWZtOTMtNnE3N84ABWOA/related_packages","related_advisories":[]}