GUARDED 4 min read 17 Jul 2026

ArcadeDB read-only users can still mutate database schema

What changed Finding 01 identifies CVE-2026-54076 as an incomplete fix for CVE-2026-44221, leaving read-only ArcadeDB users able to mutate database schema. CVE-2026-44221 is associated with a recorded fix commit, but no equivalent fix is established for CVE-2026-54076.

Key findings
01
ArcadeDB read-only users can mutate database schema
CRITICAL
The GitHub advisory identifies CVE-2026-54076 as an incomplete fix for CVE-2026-44221. Read-only ArcadeDB users can still mutate database schema. The technical assessment records incorrect authorisation for CVE-2026-44221 and missing authorisation for CVE-2026-54076.
02
SAP updates NetWeaver ABAP for CVE-2026-44747
CRITICAL
SAP released July 2026 security updates addressing CVE-2026-44747 in SAP NetWeaver Application Server ABAP. The source describes an out-of-bounds write that allows an authenticated attacker to leverage logical errors in memory management, causing memory corruption that could lead to unauthorised data access, modification or system unavailability.
03
Zoom updates Windows clients for CVE-2026-53412
CRITICAL
Zoom released security updates for CVE-2026-53412, an improper-input-validation vulnerability that could facilitate account takeover through network access.
04
Pheditor retains an unchanged default administrator password
CRITICAL
CVE-2026-55579 concerns Pheditor’s hard-coded default password, admin, with no forced change. The GitHub advisory states that this condition enables full application compromise.
05
CISA orders action on an exploited Oracle E-Business Suite flaw
INFO
CISA ordered US federal agencies to secure systems against ongoing attacks exploiting a vulnerability in Oracle E-Business Suite, with a Saturday deadline reported by the source.
06
Microsoft’s July release includes two exploited vulnerabilities
INFO
SANS Internet Storm Center reports that Microsoft’s July 2026 release contains 622 vulnerabilities, excluding a further 427 Chromium vulnerabilities affecting Microsoft Edge. It states that 62 are rated critical, one had previously been disclosed and two were already exploited.
07
Russian state-sponsored actors target network devices
INFO
A multinational advisory warns that Russian state-sponsored attackers are compromising critical-infrastructure networks by exploiting poorly configured and vulnerable networking devices.
08
Security vendors release product updates
INFO
Trend Micro, Tanium, ESET and Tenable released product updates addressing vulnerabilities in some of their products. The source describes critical and high-severity issues but does not establish one shared mechanism, affected-version set or remediation procedure across the four vendors.
09
US government launches the Gold Eagle vulnerability clearinghouse
INFO
The US government announced Gold Eagle, an operative federal clearinghouse intended to help industry, critical-infrastructure operators and government organisations use artificial intelligence to detect, prioritise and patch cybersecurity vulnerabilities.
10
WatchGuard FireWare OS denial of service in IKEv2 deployments
HIGH
CVE-2026-13084 allows remote attackers to create a denial-of-service condition on affected WatchGuard FireWare OS installations. Authentication is not required, but the source limits affected scope to systems using VPN with IKEv2.
11
NVIDIA NeMo Framework checkpoint parsing can enable code execution
HIGH
CVE-2026-24157 allows remote attackers to execute arbitrary code on affected NVIDIA NeMo Framework installations. User interaction is required: the target must visit a malicious page or open a malicious file.
12
Adobe Creative Cloud flaw enables local privilege escalation
HIGH
CVE-2026-48344 allows local attackers to escalate privileges on affected Adobe Creative Cloud Desktop Application installations. An attacker must first be able to execute low-privileged code on the target.
13
Nuclio repository attributes can trigger build-time code execution
HIGH
CVE-2026-52833 concerns unsanitised Nuclio runtimeAttributes.repositories values injected into Groovy build.gradle, leading to build-time remote code execution.
14
Pheditor terminal sanitisation permits command execution
HIGH
CVE-2026-55578 concerns incomplete command sanitisation in Pheditor’s terminal feature. The GitHub advisory states that pipe operators, backtick substitution and newline injection can enable remote code execution.
15
Windows Backup Service privilege-escalation vulnerability
HIGH
CVE-2026-58598 affects the Windows Backup Service. The technical evidence identifies a race condition and assigns CVSS 7.0.

What changed

Finding 01 identifies CVE-2026-54076 as an incomplete fix for CVE-2026-44221, leaving read-only ArcadeDB users able to mutate database schema. CVE-2026-44221 is associated with a recorded fix commit, but no equivalent fix is established for CVE-2026-54076.

Finding 02 reports security updates for CVE-2026-44747 in SAP NetWeaver Application Server ABAP, while Finding 03 reports Windows security updates for CVE-2026-53412 affecting supported Zoom Workplace and VDI Client branches. Finding 04 identifies CVE-2026-55579 in Pheditor, where the default password admin is not subject to a forced change.

Finding 05 reports ongoing exploitation of an Oracle E-Business Suite vulnerability and a CISA deadline for US federal agencies. Finding 06 records a July Microsoft release containing 622 vulnerabilities, with two described as already exploited. Finding 07 adds a multinational warning about Russian state-sponsored targeting of vulnerable or poorly configured networking devices.

Finding 08 reports product updates from Trend Micro, Tanium, ESET and Tenable. Finding 09 introduces the operational Gold Eagle vulnerability clearinghouse. Findings 10, 11 and 12 report updates for CVE-2026-13084, CVE-2026-24157 and CVE-2026-48344 respectively, while Findings 13, 14 and 15 introduce CVE-2026-52833, CVE-2026-55578 and CVE-2026-58598.

Why it matters

The strongest shared operational theme is remediation validation rather than patch availability alone. Finding 01 demonstrates that an earlier fix can remain incomplete, while Findings 02, 03, 08, 10, 11 and 12 all report released updates that still require inventory matching and deployment verification.

Findings 05, 06 and 07 require faster triage because their sources describe ongoing or confirmed activity rather than vulnerability severity alone. The evidence does not establish that the same products, mechanisms or exploitation conditions apply across these three findings.

  • Recommended actions
  • ArcadeDB owner: For Finding 01, identify deployments affected by CVE-2026-54076 and CVE-2026-44221, then test whether read-only accounts can mutate schema after the earlier fix. Do not treat the recorded CVE-2026-44221 commit as proof that CVE-2026-54076 is remediated.
  • SAP owner: For Finding 02, identify SAP NetWeaver Application Server ABAP exposure to CVE-2026-44747 and apply the relevant July security update after checking the linked report against the deployed release.
  • Unified communications owner: For Finding 03, update affected Zoom Workplace for Windows and Zoom Workplace VDI Client for Windows installations for CVE-2026-53412, prioritising versions below the fixed branches described in the linked report.
  • Pheditor owner: For Finding 04, identify CVE-2026-55579 exposure, remove or change the default admin password immediately, and verify that deployments enforce a credential change.
  • Oracle E-Business Suite owner: For Finding 05, identify the specific vulnerability and affected releases from the linked report, compare them with deployed Oracle E-Business Suite systems, and prioritise the prescribed mitigation because the source describes ongoing exploitation.
  • Microsoft platform owner: For Finding 06, reconcile the July release with the organisation’s Microsoft estate and prioritise the two vulnerabilities identified by SANS as already exploited, including CVE-2026-56155 and CVE-2026-56164.
  • Network security owner: For Finding 07, review internet-facing network devices for vulnerable software and poor configuration, then compare the estate with the multinational advisory on Russian state-sponsored targeting.
  • Security tooling owners: For Finding 08, separately inventory Trend Micro, Tanium, ESET and Tenable products and check each product’s applicable update notice. Do not assume a shared vulnerability or remediation procedure.
  • Vulnerability management owner: For Finding 09, assess whether the Gold Eagle clearinghouse offers relevant vulnerability-discovery or patch-coordination information, while retaining established validation and change-control requirements.
  • WatchGuard owner: For Finding 10, identify FireWare OS systems using VPN with IKEv2 and apply the update linked by ZDI for CVE-2026-13084.
  • NVIDIA platform owner: For Finding 11, identify NVIDIA NeMo Framework exposure to CVE-2026-24157 and apply NVIDIA’s update, prioritising workflows that open untrusted files or direct users to untrusted pages.
  • Adobe endpoint owner: For Finding 12, identify endpoints running Adobe Creative Cloud Desktop Application and apply Adobe’s update for CVE-2026-48344, prioritising systems where lower-privileged code execution is plausible.
  • Nuclio owner: For Finding 13, identify CVE-2026-52833 exposure and restrict control over runtimeAttributes.repositories pending confirmation of the applicable remediation from the linked advisory.
  • Pheditor owner: For Finding 14, identify CVE-2026-55578 exposure and restrict access to the terminal feature until the linked advisory’s remediation has been confirmed and deployed.
  • Windows endpoint owner: For Finding 15, identify systems affected by CVE-2026-58598 and use Microsoft’s Security Update Guide to establish applicable releases and updates before deployment.

Evidence limits

Finding 01 establishes a fix commit only for CVE-2026-44221; it does not establish a fixed version or commit for CVE-2026-54076. Findings 04, 13 and 14 likewise do not provide a confirmed fixed version in the available technical evidence.

Finding 05 does not retain a CVE identifier, affected-version list or remediation detail. Findings 06, 07, 08 and 09 are broad reports rather than product-by-product technical advisories, so their claims must not be extended beyond the products, activity and initiatives expressly described.

Finding 10 has conflicting severity evidence: its technical assessment is High at CVSS 8.7, while the ZDI source assigns CVSS 5.9. The narrower conclusion is that the affected scope is limited to FireWare OS systems using VPN with IKEv2; the conflict is not resolved here.

No verified exploitation is established for CVE-2026-44747, CVE-2026-53412, CVE-2026-55579, CVE-2026-13084, CVE-2026-24157, CVE-2026-48344, CVE-2026-52833, CVE-2026-55578 or CVE-2026-58598. The ongoing-exploitation statements in Findings 05 and 06 must not be generalised to those CVEs.

cve-2026-13084cve-2026-24157cve-2026-44747cve-2026-48344cve-2026-52833cve-2026-53412cve-2026-54076cve-2026-55578cve-2026-55579cve-2026-56155

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.