{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44221","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-05T15:42:40.518Z","datePublished":"2026-05-12T19:53:39.307Z","dateUpdated":"2026-05-13T14:48:45.728Z"},"containers":{"cna":{"title":"ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases","problemTypes":[{"descriptions":[{"cweId":"CWE-863","lang":"en","description":"CWE-863: Incorrect Authorization","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77","tags":["x_refsource_CONFIRM"],"url":"https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77"},{"name":"https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8","tags":["x_refsource_MISC"],"url":"https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8"}],"affected":[{"vendor":"ArcadeData","product":"arcadedb","versions":[{"version":"< 2.6.4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-12T19:53:39.307Z"},"descriptions":[{"lang":"en","value":"ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal. This vulnerability is fixed in 2.6.4."}],"source":{"advisory":"GHSA-fxc7-fm93-6q77","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-13T14:48:34.987565Z","id":"CVE-2026-44221","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-13T14:48:45.728Z"}}]}}