PT-2026-47575

Summary Arc's user-SQL validator internal/api/query.go:ValidateSQLRequest blocked only read parquet and arc partition agg via regex denylist. The broader DuckDB I/O function family — read csv auto, read csv, read json, read json auto, read text, read blob, glob, parquet metadata, parquet schema,...

DuckDB 安全漏洞

DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A security vulnerability exists in DuckDB 1.0.0 and earlier versions, which stems from the ability of sniffcsv to provide file system access even when enableexternalaccess is disabled, which could allow an attack...