GHSA-x8mg-6r4p-87pf
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization
Details
About 14 HTTP handlers resolve the {database} path param and call getDatabase(...) WITHOUT user.canAccessToDatabase(...) and without setting the engine principal, because they extend AbstractServerHttpHandler directly instead of DatabaseAbstractHandler (which holds the only per-database gate at DatabaseAbstractHandler.java:69,88-90). Affected: PostBatchHandler:129, PostTimeSeriesWriteHandler:115, PostPrometheusWriteHandler:83, PostTimeSeriesQueryHandler:69, GetTimeSeriesLatestHandler:58, PostGrafanaQueryHandler:69, GetGrafanaHealthHandler:49, GetGrafanaMetadataHandler:52, GetPromQLQueryHandler:63, GetPromQLQueryRangeHandler:71, GetPromQLLabelsHandler:56, GetPromQLLabelValuesHandler:62, GetPromQLSeriesHandler:72, PostPrometheusReadHandler:85. The engine fallback is also void: LocalDatabase.checkPermissionsOnDatabase:711 early-returns when getCurrentUser()==null.
Exploit: a user authorized only for DB 'a' calls POST /api/v1/batch/b, POST /api/v1/ts/b/write, GET /api/v1/ts/b/prom/api/v1/query, POST /api/v1/ts/b/query -> full read AND write of DB 'b' (200 OK). The equivalent /api/v1/command/b correctly returns 403.
Fix: re-parent these handlers to DatabaseAbstractHandler, or add a shared resolveAuthorizedDatabase() choke point that enforces canAccessToDatabase and sets the engine principal before getDatabase(...). Fail closed when the security context is absent.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 26.7.2 # pom.xml: bump <version>26.7.2</version> for com.arcadedb:arcadedb-server