Vulnerability DatabaseCVE-2026-47735
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-47735
Published:June 09, 2026
Updated:June 15, 2026
Summary Arc's user-SQL validator ("internal/api/query.go:ValidateSQLRequest") blocked only "read_parquet(" and "arc_partition_agg(" via regex denylist. The broader DuckDB I/O function family — "read_csv_auto", "read_csv", "read_json", "read_json_auto", "read_text", "read_blob", "glob", "parquet_metadata", "parquet_schema", "read_xlsx", etc. — was not blocked. RBAC table-reference extraction inspected only "FROM"/"JOIN" clauses, so scalar table functions in the "SELECT" list slipped past both layers. Impact Any authenticated user, including a token with "permissions: []", can read arbitrary local files via: POST /api/v1/query Authorization: Bearer <token> {"sql": "SELECT * FROM read_csv_auto('/etc/passwd', header=false, columns={'l':'VARCHAR'}) LIMIT 5"} Confirmed reachable targets: - "auth.db" — bcrypt hashes for every API token, plus legacy SHA-256 rows. - "arc.toml" — S3 secrets, TLS keys. - "/proc/self/environ" — environment-variable secrets. - Cross-tenant Parquet files — bypasses RBAC because the tenant scope is enforced at the table layer, not on raw file paths. - SSRF when "httpfs" is loaded (any S3-backed deployment) — "read_csv_auto('http://169.254.169.254/latest/meta-data/...')" reaches instance metadata IPs. Patches Fixed in 2026.06.1 (PR #442) via a structural sandbox at the DuckDB layer: 1. "SET GLOBAL allowed_directories = [...]" enumerates Arc's legitimate filesystem prefixes (storage roots + tier prefixes + import upload dir + compaction temp). 2. "SET GLOBAL enable_external_access = false" (one-way at runtime). 3. Verified by reading back the flag. After lockdown, DuckDB refuses to open any file outside the allowlist and refuses further "INSTALL"/"LOAD". Already-loaded extensions remain callable. Workarounds - Restrict API access to known-trusted networks via firewall rules. - Temporary mitigation: add "read_csv*"/"read_json*"/"glob" etc. to "dangerousSQLPattern" in "internal/api/query.go" pending 2026.06.1. Credits Reported by Alex Manson ("@NeuroWinter" (https://github.com/NeuroWinter), https://neurowinter.com/) on 2026-05-19.
Affected Packages
https://github.com/Basekick-Labs/arc.git (GITHUB):
Affected version(s) >=v25.11.1 <v26.06.1
Fix Suggestion:
Update to version v26.06.1
github.com/basekick-labs/arc (GO):
Affected version(s) >=v0.0.0-20260206174231-f00eea97ecb1 <v0.0.0-20260520141557-91bdc29d1a02
Fix Suggestion:
Update to version v0.0.0-20260520141557-91bdc29d1a02
Related Resources (4)
https://github.com/Basekick-Labs/arc/commit/91bdc29d1a02178ccf8c66375eccf85203108dfb
https://github.com/Basekick-Labs/arc/pull/442
https://github.com/Basekick-Labs/arc/security/advisories/GHSA-p2j4-c4g6-rpf5
https://github.com/Basekick-Labs/arc
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
Server-Side Request Forgery (SSRF)
CWE-918