Critical 9.0 CVSS Flaw in ArcadeDB Allows Total Cross-Database Access

ArcadeDB, the high-performance Multi-Model DBMS known for its “Alien Technology” engine and extreme “mechanical sympathy” optimizations, has released an urgent security update to address a critical vulnerability. The flaw, tracked as CVE-2026-44221, carries a CVSS score of 9.0, highlighting a severe breakdown in the system’s authorization architecture.

The vulnerability effectively dismantles the isolation between different databases on the same server, allowing users to cross security boundaries they should never be able to reach.

ArcadeDB is designed to be a fully transactional DBMS with advanced security features. However, researchers discovered two distinct architectural defects that, when combined, allowed for a total authorization bypass.

The first issue resides in how the server handles database user sessions. Specifically, the ServerSecurityUser.getDatabaseUser() function returned a user object with an uninitialized fileAccessMap. In a classic logic error, the system’s requestAccessOnFile function treated this empty map as an “allow-all” signal. This meant an authenticated user or API token scoped to one database could suddenly read, write, or mutate the schema of any other database on that server.

The second defect involves the creation of new databases. The ArcadeDBServer.createDatabase() function was found to omit the crucial factory.setSecurity(…) call. Consequently, any database created through the standard API command (POST /api/v1/server {“command”:”create database X”}) was born with its entire record-level authorization system silently disabled.

The combination of these flaws represents a catastrophic failure of multi-tenancy and data isolation. Any authenticated principal—even those with highly restricted access—could bypass both record-level and database-level security controls.

Potential risks include:

• Data Exfiltration: Reading sensitive records from “isolated” sibling databases.
• Unauthorized Modification: Writing or deleting data across the entire server.
• Schema Mutation: Altering database structures to disrupt services or create further backdoors.

The ArcadeDB team has moved quickly to rectify these engine-level oversights. Because the vulnerability affects the core server logic and the very foundation of newly created databases, there are no viable manual workarounds.

All administrators are urged to upgrade immediately (ArcadeDB 26.4.1).