Jul 17, 2026·6 min read·1 visit
ArcadeDB Server before 26.7.1 allows authenticated users with read-only privileges to escape the GraalVM scripting sandbox using reflection on bound Java objects, resulting in arbitrary host filesystem read access.
A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.
ArcadeDB Server before version 26.7.1 contains an improper privilege management vulnerability that permits authenticated database users with minimal permissions to escape the execution sandbox. The vulnerability resides within the polyglot scripting endpoint, which provides support for multi-language query execution including JavaScript via GraalVM. Under default configurations, the API endpoint fails to validate whether the executing security context possesses administrative authority.
By leveraging this lack of access control, an authenticated attacker with a read-only role can submit arbitrary JavaScript commands. The script execution environment utilizes a sandboxed GraalVM context designed to restrict access to underlying JVM features and host files. However, because a Java database reference is exposed directly to the guest context, the guest environment can traverse reflective boundaries to escape these restrictions.
This security bypass permits the attacker to load non-whitelisted Java classes, bypass filesystem access restrictions, and read arbitrary files from the host operating system. The flaw does not require administrative privileges or complex configurations, making exploitation highly reliable once an attacker gains basic database access.
The vulnerability stems from two distinct logical flaws in the application design. The first flaw is the complete absence of authorization checks within the PolyglotQueryEngine command processing pathway. In ArcadeDB, standard SQL and Cypher operations are strictly restricted according to role-based access control policies. However, the system did not enforce equivalent permission checks when processing scripting commands through the /api/v1/command/{database} endpoint.
The second flaw is an insufficient host-access configuration in the GraalVM guest engine. To facilitate query operations, the application binds a live Java database instance into the JavaScript context. The sandbox implementation restricts standard class lookups by enforcing an allowedPackages whitelist, which prevents scripts from directly importing packages like java.io.
Despite this restriction, the default GraalVM host-access policy (HostAccess.ALL) allowed the guest environment to perform reflection on any public methods of the bound database object. By invoking database.getClass().getClassLoader(), a script could obtain the JVM's ClassLoader object. Since the ClassLoader itself is outside the scope of the package whitelist filters, the script could use it to load arbitrary Java classes such as java.io.File and java.util.Scanner, effectively escaping the sandbox.
To resolve the privilege escalation, the maintainers implemented authorization enforcement on the scripting engine and restricted GraalVM host access. The patch gates the scripting operations under PolyglotQueryEngine behind the UPDATE_SECURITY role requirement. The check executes synchronously within the calling thread, blocking low-privileged database readers from accessing the scripting engine.
// Patched PolyglotQueryEngine.java
private void checkScriptingPermissions() {
// Restricts execution to users with UPDATE_SECURITY permissions
database.checkPermissionsOnDatabase(SecurityDatabaseUser.DATABASE_ACCESS.UPDATE_SECURITY);
}Additionally, the patch replaces the permissive HostAccess.ALL configuration with a customized sandbox policy. The new policy, defined as SANDBOXED_HOST_ACCESS, explicitly denies guest scripts from accessing the reflection API, the Class representation, and ClassLoader objects.
// Patched GraalPolyglotEngine.java
private static final HostAccess SANDBOXED_HOST_ACCESS = HostAccess.newBuilder(HostAccess.ALL)
.denyAccess(Class.class)
.denyAccess(ClassLoader.class)
.denyAccess(java.lang.reflect.AccessibleObject.class)
.denyAccess(java.lang.reflect.Member.class)
.build();By denying access to these critical Java classes, the reflection chain is severed at the source. Any attempt by a script to call .getClass() or retrieve a ClassLoader on a bound host object now results in an immediate security exception, preventing the guest context from loading arbitrary external classes.
Exploitation of this vulnerability requires network access to the ArcadeDB HTTP API and valid credentials for a database reader. An attacker submits a POST request to the /api/v1/command/{database} endpoint, specifying js as the query language. The command string contains the payload designed to escape the package whitelist using reflective access on the bound database instance.
The exploit sequence starts by obtaining the class loader via the bound database instance. The attacker uses the class loader to dynamically resolve the java.io.File and java.util.Scanner classes. These classes are then instantiated reflectively to bypass the standard import restrictions.
{
"language": "js",
"command": "var cl = database.getClass().getClassLoader(); var FileClass = cl.loadClass('java.io.File'); var ScannerClass = cl.loadClass('java.util.Scanner'); var fileObj = FileClass.getConstructor(cl.loadClass('java.lang.String')).newInstance('/etc/passwd'); var scannerObj = ScannerClass.getConstructor(cl.loadClass('java.io.File')).newInstance(fileObj); scannerObj.useDelimiter('\\\\A'); var content = scannerObj.hasNext() ? scannerObj.next() : ''; content;"
}The scanner instance reads the entire contents of the target file, which are returned in the HTTP response body. Because the execution runs within the security context of the ArcadeDB server process, the attacker can read any file that the application process has permissions to access.
The vulnerability represents a breakdown of security boundaries, transitioning an attacker from a restricted database reader to an entity capable of reading host files. This is reflected in the CVSS v3.1 score of 7.7, specifically highlighted by the Scope change metric (S:C). The escape from the GraalVM guest environment directly compromises the security of the underlying host operating system.
An attacker can exploit this access to read sensitive configuration files, database credentials, environment variables, or system files such as /etc/passwd. In cloud environments, this may expose metadata service tokens, potentially allowing broader lateral movement.
Although the default GraalVM configuration denies process creation, preventing direct remote code execution (RCE) via system commands, the ability to read arbitrary files remains a severe threat. Exfiltrated credentials can lead to full database compromise or host takeovers.
The primary remediation path is upgrading the ArcadeDB Server installation to version 26.7.1 or later. This release incorporates the administrative privilege validation and the hardened SANDBOXED_HOST_ACCESS configuration, which successfully prevents both the unauthorized command access and the reflection bypass.
If upgrading is not immediately feasible, organizations must restrict network access to the database HTTP port (default 2480) and the HA clustering port (default 2481). Implement firewall rules or security groups to ensure only trusted application servers can interact with these interfaces.
Additionally, review all database user roles and revoke command privileges for any non-essential accounts. Treat all users with query permissions as potentially fully trusted until the upgrade is completed, as the application cannot enforce effective database isolation boundaries under the vulnerable versions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
ArcadeDB Server ArcadeData | < 26.7.1 | 26.7.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-269 / CWE-863 |
| Attack Vector | Network |
| CVSS | 7.7 |
| EPSS | Not Tracked |
| Impact | Arbitrary Host File Read / Sandbox Escape |
| Exploit Status | Proof-of-Concept |
| KEV Status | Not Listed |
The software does not properly restrict privileges, allowing an actor to obtain access to restricted actions or resources beyond their assigned capabilities.
CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.
CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.
CVE-2026-56271 represents a critical security flaw in Flowise, an open-source visual orchestration platform for Large Language Models (LLMs) and autonomous AI agents. The vulnerability occurs within the platform's enterprise passport authentication module, where default cryptographic parameters are used in the absence of explicit environment variables. Specifically, the middleware silently falls back to known, static hardcoded secrets ('auth_token' and 'refresh_token') and identifiers ('AUDIENCE' and 'ISSUER') to generate and verify session tokens. Consequently, remote unauthenticated attackers can construct arbitrary JSON Web Tokens (JWTs) signed with these hardcoded credentials to gain administrative entry to the application.
ArcadeDB is an open-source, multi-model database engine supporting graph, document, key-value, and vector models. In affected versions of ArcadeDB, the trigger script executor improperly configures GraalVM scripting engine permissions. By allowing the 'java.lang.*' package to be loaded within the scripting context, the sandbox environment can be bypassed. An authenticated user with schema administration privileges ('UPDATE_SCHEMA') can register a malicious script trigger that executes arbitrary Java host classes, leading to unauthenticated remote command execution under the context of the ArcadeDB server process.
A critical improper access control vulnerability (CWE-284) in the WebSocket upgrade endpoint of Le Circuit Électrique charging station backend allows remote, unauthenticated attackers to connect to the Charging Station Management System and impersonate charging stations.
CVE-2026-55040 is a critical security feature bypass vulnerability in Microsoft SharePoint Server arising from a weak authentication mechanism (CWE-1390). An unauthenticated remote attacker can exploit this security flaw over a network to bypass authentication validation routines, gaining unauthorized access to the application and complete control over sensitive enterprise data assets without any user interaction.