VDB
KO
HIGH 8.1

GHSA-vg6x-6pg9-6qwg

ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)

Details

### Impact

The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:

- `DROP PROPERTY <type>.<property>` - `ALTER TYPE <name> SUPERTYPE +<other>` / `-<other>` (change the inheritance hierarchy) - `ALTER TYPE <name> NAME <newName>` (rename a type) - type alias and bucket changes - `ALTER PROPERTY <type>.<property> ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — the `LocalProperty` setters had no check at all

This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.

### Affected component

Engine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.

### Patches

Every public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.

### Workarounds

Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.

### Resources

Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.

### Credit

Reported by Kai Aizen (SnailSploit).

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / com.arcadedb:arcadedb-engine
Introduced in: 0 Fixed in: 26.6.1
Fix # pom.xml: bump <version>26.6.1</version> for com.arcadedb:arcadedb-engine

References