ArcadeDB 26.7.3
Overview
This is a focused hotfix on top of 26.7.2. It closes three security advisories from the internal audit - two in the MCP server transport and one in the JavaScript/Java trigger authorization gate - and repairs a data-loss regression in the 26.7.2 commutative super-node edge-append merge.
Upgrading from 26.7.2 is recommended, especially for deployments that expose the MCP server, run in server / multi-tenant mode, or store high-degree (super-node) graphs.
There are no breaking changes and no schema migration in this release.
Security Advisories
All three advisories were found in the same internal audit that produced the 26.7.2 fixes; they are MCP-transport and trigger issues that were not covered there.
- MCP command transport disabled all engine permission checks (GHSA-6x73-v3rc-f57c). The MCP transport never bound the authenticated principal onto the request thread's
DatabaseContext, so the engine permission gates (which are deliberate no-ops when no user is bound) silently passed for every MCP caller. A non-root, MCP-allowed reader could perform arbitrary writes, DDL and schema/security mutation; thequery+jssub-case could execute arbitrary in-JVM JavaScript. The principal is now bound at the single DB-resolution chokepoint and cleared on the pooled worker thread, so the engine per-user gates enforce for MCP exactly as for the HTTP, Bolt, PostgreSQL and gRPC transports. - MCP
get_server_settingsleaked the HA clusterToken in cleartext (GHSA-p9wc-4fhr-78wm). The MCPget_server_settingstool masked only settings whose key contained"password", soarcadedb.ha.clusterTokenwas returned raw. That token is the trust anchor for cluster-forwarded authentication, so leaking it enables full root impersonation. This is the MCP sibling of the 26.7.2 fix (GHSA-46hj-24h4-j8gf); the tool now redacts value and default viaGlobalConfiguration.isHidden(), matchingGetServerHandler. - JavaScript / Java triggers could escalate a schema admin to server-wide admin (GHSA-38pf-6hp2-pxww). A
JAVASCRIPTtrigger binds the real database object into a GraalVM context, so its script could calldatabase.getSecurity().createUser(...)and escalate anUPDATE_SCHEMA(schema-admin) user to a server-wide admin; aJAVAtrigger runs an arbitrary loaded class. Creating both host-code trigger types now requiresUPDATE_SECURITYat theLocalSchema.createTriggerchokepoint, mirroring theDEFINE FUNCTION ... LANGUAGE jsgate (GHSA-vwjc-v7x7-cm6g). Declarative SQL triggers keepUPDATE_SCHEMA, and schema reload of existing triggers is unaffected.
Major Fixes
Graph engine
- Edge-append merge no longer reverts concurrent writes on multi-page edge chunks (#5302). The commutative edge-append merge (
GRAPH_EDGE_APPEND_MERGE, introduced in 26.7.2) resolved a commit-time page conflict by re-deriving the conflicted page and replaying the transaction's tracked appends. For an edge chunk stored as a multi-page record (a chunk that straddles a page boundary) this re-derivation was unsound: the rebase re-read the chunk through the transaction's stale in-transaction page copy and committed it, silently reverting concurrently committed appends on the continuation page - zeroed chunk tails, shifted/aliased pairs, lost edges, andBufferUnderflowExceptionon later traversals of the vertex. Only records living entirely in place on the conflicted page are now re-derived; multi-page and indirected (placeholder) chunk records fall back to the standard full-transaction retry. Single-page chunks - the vast majority, including all super-node stripe chunks - keep the merge.
MCP server
get_schemanow builds its schema through a dedicatedbuildSchemapath, and the MCP dispatcher handles a missing resource with a properMCPResourceNotFoundExceptioninstead of a generic failure.
Full Changelog: 26.7.2...26.7.3