Database Access Flaw in ArcadeDB by ArcadeData
CVE-2026-44221

9CRITICAL

Key Information:

Vendor: Arcadedata
Status: Arcadedb
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44221?

ArcadeDB, a multi-model database management system, was found to have significant access control vulnerabilities prior to version 2.6.4. Authenticated users and specific API tokens had the ability to read, write, and mutate schemas across all databases on the server. This security risk arose from two main issues: first, a misconfigured file access map allowed unrestricted access to databases; second, the process of creating a new database omitted necessary security settings, leading to compromised record-level authorization. As a result, any authenticated user could bypass both record-level and database-level security, posing a major threat to data integrity and security within the system.

Affected Version(s)

arcadedb < 2.6.4

References

https://github.com/ArcadeData/arcadedb/security/advisorie...

x_refsource_CONFIRM

https://github.com/ArcadeData/arcadedb/commit/04110c06315...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44221 Data

JSON

Arcadedata

What is CVE-2026-44221?

Affected Version(s)

References

CVSS V3.1

Timeline