CVE-2026-47735

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks

Summary

Arc's user-SQL validator (internal/api/query.go:ValidateSQLRequest) blocked only read_parquet( and arc_partition_agg( via regex denylist. The broader DuckDB I/O function family — read_csv_auto, read_csv, read_json, read_json_auto, read_text, read_blob, glob, parquet_metadata, parquet_schema, read_xlsx, etc. — was not blocked. RBAC table-reference extraction inspected only FROM/JOIN clauses, so scalar table functions in the SELECT list slipped past both layers.

Impact

Any authenticated user, including a token with permissions: [], can read arbitrary local files via:

POST /api/v1/query
Authorization: Bearer 
{"sql": "SELECT * FROM read_csv_auto('/etc/passwd', header=false, columns={'l':'VARCHAR'}) LIMIT 5"}

Confirmed reachable targets:

  • auth.db — bcrypt hashes for every API token, plus legacy SHA-256 rows.
  • arc.toml — S3 secrets, TLS keys.
  • /proc/self/environ — environment-variable secrets.
  • Cross-tenant Parquet files — bypasses RBAC because the tenant scope is enforced at the table layer, not on raw file paths.
  • SSRF when httpfs is loaded (any S3-backed deployment) — read_csv_auto('http://169.254.169.254/latest/meta-data/...') reaches instance metadata IPs.

Patches

Fixed in 2026.06.1 (PR #442) via a structural sandbox at the DuckDB layer:

  • SET GLOBAL allowed_directories = [...] enumerates Arc's legitimate filesystem prefixes (storage roots + tier prefixes + import upload dir + compaction temp).
  • SET GLOBAL enable_external_access = false (one-way at runtime).
  • Verified by reading back the flag.

After lockdown, DuckDB refuses to open any file outside the allowlist and refuses further INSTALL/LOAD. Already-loaded extensions remain callable.

Workarounds

  • Restrict API access to known-trusted networks via firewall rules.
  • Temporary mitigation: add read_csv*/read_json*/glob etc. to dangerousSQLPattern in internal/api/query.go pending 2026.06.1.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.

CVSS v3
EG Score
0.0(none)
EPSS
8.8%
KEV
Not listed

Published

June 8, 2026

Last Modified

June 8, 2026

Vendor Advisories for CVE-2026-47735(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/basekick-labs/arc0.0.0-20260520141557-91bdc29d1a02

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-15 00:59 UTCEG score recompute
  2. 2026-06-14 23:18 UTCEPSS rescore
  3. 2026-06-13 23:00 UTCEPSS rescore
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-08 23:56 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47735?
CVE-2026-47735 is a high vulnerability published on June 8, 2026. Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks Summary Arc's user-SQL validator (internal/api/query.go:ValidateSQLRequest) blocked only readparquet( and arcpartitionagg( via regex denylist. The broader DuckDB I/O function family —…
When was CVE-2026-47735 disclosed?
CVE-2026-47735 was first published in the National Vulnerability Database on June 8, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47735 actively exploited?
CVE-2026-47735 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 8.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-47735?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47735, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47735

Explore →

Is Your Infrastructure Affected by CVE-2026-47735?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.