github ArcadeData/arcadedb 26.7.3

5 hours ago

ArcadeDB 26.7.3

Overview

This is a focused hotfix on top of 26.7.2. It closes three security advisories from the internal audit - two in the MCP server transport and one in the JavaScript/Java trigger authorization gate - and repairs a data-loss regression in the 26.7.2 commutative super-node edge-append merge.

Upgrading from 26.7.2 is recommended, especially for deployments that expose the MCP server, run in server / multi-tenant mode, or store high-degree (super-node) graphs.

There are no breaking changes and no schema migration in this release.

Security Advisories

All three advisories were found in the same internal audit that produced the 26.7.2 fixes; they are MCP-transport and trigger issues that were not covered there.

  • MCP command transport disabled all engine permission checks (GHSA-6x73-v3rc-f57c). The MCP transport never bound the authenticated principal onto the request thread's DatabaseContext, so the engine permission gates (which are deliberate no-ops when no user is bound) silently passed for every MCP caller. A non-root, MCP-allowed reader could perform arbitrary writes, DDL and schema/security mutation; the query + js sub-case could execute arbitrary in-JVM JavaScript. The principal is now bound at the single DB-resolution chokepoint and cleared on the pooled worker thread, so the engine per-user gates enforce for MCP exactly as for the HTTP, Bolt, PostgreSQL and gRPC transports.
  • MCP get_server_settings leaked the HA clusterToken in cleartext (GHSA-p9wc-4fhr-78wm). The MCP get_server_settings tool masked only settings whose key contained "password", so arcadedb.ha.clusterToken was returned raw. That token is the trust anchor for cluster-forwarded authentication, so leaking it enables full root impersonation. This is the MCP sibling of the 26.7.2 fix (GHSA-46hj-24h4-j8gf); the tool now redacts value and default via GlobalConfiguration.isHidden(), matching GetServerHandler.
  • JavaScript / Java triggers could escalate a schema admin to server-wide admin (GHSA-38pf-6hp2-pxww). A JAVASCRIPT trigger binds the real database object into a GraalVM context, so its script could call database.getSecurity().createUser(...) and escalate an UPDATE_SCHEMA (schema-admin) user to a server-wide admin; a JAVA trigger runs an arbitrary loaded class. Creating both host-code trigger types now requires UPDATE_SECURITY at the LocalSchema.createTrigger chokepoint, mirroring the DEFINE FUNCTION ... LANGUAGE js gate (GHSA-vwjc-v7x7-cm6g). Declarative SQL triggers keep UPDATE_SCHEMA, and schema reload of existing triggers is unaffected.

Major Fixes

Graph engine

  • Edge-append merge no longer reverts concurrent writes on multi-page edge chunks (#5302). The commutative edge-append merge (GRAPH_EDGE_APPEND_MERGE, introduced in 26.7.2) resolved a commit-time page conflict by re-deriving the conflicted page and replaying the transaction's tracked appends. For an edge chunk stored as a multi-page record (a chunk that straddles a page boundary) this re-derivation was unsound: the rebase re-read the chunk through the transaction's stale in-transaction page copy and committed it, silently reverting concurrently committed appends on the continuation page - zeroed chunk tails, shifted/aliased pairs, lost edges, and BufferUnderflowException on later traversals of the vertex. Only records living entirely in place on the conflicted page are now re-derived; multi-page and indirected (placeholder) chunk records fall back to the standard full-transaction retry. Single-page chunks - the vast majority, including all super-node stripe chunks - keep the merge.

MCP server

  • get_schema now builds its schema through a dedicated buildSchema path, and the MCP dispatcher handles a missing resource with a proper MCPResourceNotFoundException instead of a generic failure.

Full Changelog: 26.7.2...26.7.3

Don't miss a new arcadedb release

NewReleases is sending notifications on new releases.