Security: ArcadeData/arcadedb
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
JavaScript trigger sandbox escape via bound database object grants server-wide adminGHSA-38pf-6hp2-pxww published
Jul 17, 2026 by robfrankHigh -
MCP get_server_settings leaks HA clusterToken in cleartext enabling root impersonationGHSA-p9wc-4fhr-78wm published
Jul 17, 2026 by robfrankHigh -
MCP command transport never binds authenticated principal, disabling all engine permission checksGHSA-6x73-v3rc-f57c published
Jul 17, 2026 by robfrankHigh -
Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE)GHSA-x9f9-r4m8-9xc2 published
Jul 9, 2026 by lvcaHigh -
Scripting authorization gate (GHSA-48qw) bypassed via SQL DEFINE FUNCTION ... LANGUAGE jsGHSA-vwjc-v7x7-cm6g published
Jul 9, 2026 by lvcaHigh -
Cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorizationGHSA-x8mg-6r4p-87pf published
Jul 9, 2026 by lvcaHigh -
Cluster token disclosed via GET /api/v1/server enables root impersonationGHSA-46hj-24h4-j8gf published
Jul 9, 2026 by lvcaCritical -
Read-only users can mutate type schema via ALTER TYPE CUSTOM and BUCKETSELECTIONSTRATEGY (missing UPDATE_SCHEMA check, sibling gap of GHSA-vg6x/GHSA-fxc7)GHSA-8vr5-263f-x5r3 published
Jul 9, 2026 by lvcaHigh -
Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file readGHSA-48qw-824m-86pr published
Jul 1, 2026 by lvcaHigh -
IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated usersGHSA-8w86-m9h8-hvqg published
Jun 5, 2026 by robfrankHigh