Skip to content

Cluster token disclosed via GET /api/v1/server enables root impersonation

Critical
lvca published GHSA-46hj-24h4-j8gf Jul 9, 2026

Package

maven com.arcadedb:arcadedb-server (Maven)

Affected versions

< 26.7.2

Patched versions

26.7.2

Description

GET /api/v1/server requires only authentication (no root check). exportSettings emits every non-DATABASE GlobalConfiguration key/value and masks only keys whose name contains "password"; it ignores the existing isHidden() predicate that already flags arcadedb.ha.clusterToken as secret, so the token is returned in clear (GetServerHandler.java:60,71-73; GlobalConfiguration.java:890,1546). Separately, validateClusterForwardedAuth treats a request carrying X-ArcadeDB-Cluster-Token + X-ArcadeDB-Forwarded-User as that user with NO password (AbstractServerHttpHandler.java:164-171,495-528).

Exploit: a low-privilege authenticated user (even scoped to one DB) calls GET /api/v1/server, reads arcadedb.ha.clusterToken, then replays any admin request (e.g. POST /api/v1/server create user) with X-ArcadeDB-Cluster-Token: and X-ArcadeDB-Forwarded-User: root -> full root (server shutdown, DB create/drop, user creation, restore/import). Reachable even without HA (falls back to the config value). Caveat: only exploitable when an operator explicitly sets HA_CLUSTER_TOKEN; when left default it is auto-generated and the config value stays empty.

Fix: in exportSettings skip/mask any cfg.isHidden() entry (route all config serialization through the single redaction predicate; default-redact token/secret/key/password); gate GET /api/v1/server default/cluster modes behind checkRootUser.

Severity

Critical

CVE ID

No known CVE

Weaknesses

No CWEs