ArcadeDB Authorization Bypass via Uninitialized Security Context and Disabled Schema Enforcement

Vulnerability Description

This vulnerability represents a critical authorization control failure stemming from two distinct implementation defects that compound to create cross-database privilege escalation. The root causes are: (1) ServerSecurityUser.getDatabaseUser() initializes a database user object with an uninitialized fileAccessMap, which the requestAccessOnFile() method then treats as a permissive allow-all policy rather than deny-by-default; (2) ArcadeDBServer.createDatabase() omits the required factory.setSecurity(...) call during database instantiation, leaving the record-level authorization system completely disabled on newly-created databases. This is an authorization control bypass vulnerability class, not an authentication bypass—it requires valid credentials but undermines all downstream access controls.

Proof-of-Concept Significance

The PoC discloses a reliable, deterministic vulnerability that affects any multi-tenant ArcadeDB deployment. Preconditions are minimal: an attacker requires only valid authentication (any database-scoped API token or user account). The vulnerability is highly exploitable in production because: (1) it requires no special network position or race conditions; (2) the uninitialized fileAccessMap is a logic error triggered on every getDatabaseUser() call; (3) newly-created databases via the REST API are silently insecure by default. This affects both record-level data access and schema mutation capabilities across database boundaries.

Detection Guidance

Log Indicators:

• Cross-database access attempts in audit logs from single authenticated principals
• POST /api/v1/server requests with {"command":"create database ...} followed by immediate schema modifications from unexpected sources
• fileAccessMap initialization failures (if verbose logging enabled) or null-pointer exceptions in authorization stacks
• Discrepancies between database-scoped API token permissions and actual access granted (compare token scope metadata to audit logs)

Detection Approach:

• Query audit logs for single principals accessing multiple databases simultaneously or in short time windows
• Monitor REST API logs for database creation endpoints and correlate with subsequent unauthorized schema operations
• Alert on failed authorization checks being silently converted to allow conditions
• Baseline expected cross-database queries and flag outliers

Mitigation Steps

Immediate Actions:

1. Patch: Upgrade all ArcadeDB instances to version 26.4.2 or later immediately
2. Access Control Hardening: Implement network-layer restrictions limiting which principals can call /api/v1/server with create database command
3. Audit Review: Query historical database creation events and audit logs for unauthorized cross-database access patterns
4. Token Rotation: Rotate all long-lived API tokens and database-scoped credentials, particularly those with server admin capabilities
5. Temporary Workaround (if patching delayed): Disable REST API database creation; restrict create database operations to direct administrative channels only

Risk Assessment

Likelihood of Exploitation in the Wild: Very High

• The vulnerability requires only basic authentication and no special techniques
• Multi-tenant SaaS deployments are attractive targets
• The bug was silently present in newly-created databases, making it invisible to many operators

Threat Actor Interest: High

• APTs conducting lateral movement in compromised environments would immediately exploit this for cross-database data exfiltration
• Insider threats or supply-chain compromises could leverage this to access isolated customer data
• Ransomware operators could use schema mutation capabilities to disable databases across tenants

Business Impact: Complete breakdown of multi-tenant isolation; data confidentiality, integrity, and availability loss across all databases on shared infrastructure.