An authorization bypass vulnerability in ArcadeDB allows authenticated users to perform unauthorized actions across multiple databases, compromising data isolation.

This vulnerability consists of two defects: failure to initialize file access maps and improper security configuration during database creation. These issues allow an authenticated principal to bypass both record-level and database-level authorization.

Successful exploitation allows an authenticated user to perform unauthorized read, write, and schema mutations on any database residing on the affected server. Given the 9.0 CVSS score, this represents a major risk to data integrity and multi-tenant isolation, potentially resulting in cross-database data leakage or catastrophic system-wide database corruption.

Immediate Action: Upgrade all instances of ArcadeDB to version 2.6.4 or later immediately.

Proactive Monitoring: Audit database access logs for unusual cross-database queries or unauthorized attempts to modify database schemas.

Compensating Controls: Enforce strict database-level access controls and review API token permissions to ensure the principle of least privilege is maintained.

Public Exploit Available: Not specified

This vulnerability fundamentally breaks the security model of the database server. Administrators must ensure all instances are updated to version 2.6.4 to restore proper authorization enforcement and prevent potential unauthorized data manipulation by authenticated entities.