Critical Vulnerabilities Exposed in OrientDB GraphDB 3.2.46: 20 Flaws Found, No Patch Available

A comprehensive security scan of OrientDB GraphDB version 3.2.46 has uncovered 20 distinct vulnerabilities, including multiple critical and high-severity flaws with no available remediation. The findings, flagged via dependency analysis in a GitHub-based scanner, reveal a significant exposure surface in this widely-used graph database library.

The most severe vulnerability carries a CVSS score of 10.0, the maximum possible severity rating. Tracked as CVE-2026-5598, this flaw resides in the transitive Bouncy Castle cryptographic library component (bcprov-jdk18on-1.77.jar). A second critical vulnerability, CVE-2025-14813, scores 9.0 on the CVSS scale and affects the same library dependency. Both vulnerabilities are classified as transitive, meaning they enter the project through third-party dependencies rather than the OrientDB codebase itself. The scan identified the vulnerable library path within the Maven repository structure at orientdb-graphdb-3.2.46.jar, with the dependency chain traced through the project's server/pom.xml file.

Security researchers have flagged that at least one of the identified vulnerabilities carries a "reachable" status, indicating that a potential attacker could actively exploit the flaw through standard application pathways. The absence of a fixed version for these transitive dependencies compounds the risk, leaving organizations using this library without a direct patch path from the security scanner. The EPSS (Exploit Prediction Symptom System) scores remain below 1% for these specific CVEs, suggesting limited current exploitation activity, though the maximum severity rating warrants immediate attention from development and security teams using OrientDB GraphDB in production environments.