CVE-2026-44221CRITICAL 9.0EPSS p26.1%

CVE-2026-44221CVE-2026-44221

Description

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 26.1% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-13

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8
  2. https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21721
CVE
CVE-2026-46481
CVE
CVE-2026-26218
CVE
CVE-2025-27696
CVE
CVE-2026-42463
CVE
CVE-2025-24924
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.