By Anvil Secure On March 25, 2026 0 Comments Overview In perhaps the first and most publicly comprehensive paper of its kind, Principal Security Engineer Daniel Kachakil explores how insecure handling of user input in ArangoDB's Query Language (AQL) can be vulnerable to injection attacks . Based on his real-world experience, Daniel draws parallels to SQL injection while highlighting the unique behaviors and opportunities present in AQL. He demonstrates how improper handling of user input—especially when used to dynamically construct AQL queries—can lead to severe security risks including data exposure, data manipulation, and potential privilege escalation within ArangoDB environments. This post serves as a comprehensive reference for pentesters seeking detailed insight into AQL injections and how they can be exploited. By Daniel Kachakil In one of my recent pentests, I found multiple instances of AQL injections, which I successfully exploited and reported as critical vulnerabilities. The main purpose of this blog post is to serve as a guide to better understand how these injections work, how they compare to more commonly found SQL injections, and how they can be exploited and prevented. As part of this research, I also developed and published a new open-source tool ( aqlmap ) which implements multiple techniques (error-based, reflected, blind, and time-based injections) to automate the database extraction, covering the majority of real-world scenarios. ArangoDB and AQL ArangoDB is a multi-model database which supports different types of data models, such as schema-less documents (similar to MongoDB) and graphs (similar to Neo4j). To retrieve and manipulate data, ArangoDB uses its own declarative query language (ArangoDB Query Language, or AQL), which shares some similarities with SQL, but also has several differences. More information about ArangoDB and AQL can be found in the official documentation: https://docs.arangodb.com/stable/get-started/ https://docs.arangodb.com/stable/aql/fundamentals/syntax/ Note: AQL is also the acronym for Asterix Query Language (Apache), Ariel Query Language (IBM), Assets Query Language (Atlassian), etc. In this blog post, AQL will always refer to the ArangoDB Query Language. Basic Syntax To better understand how injections work in this language, let's start with a basic example taken from the AQL documentation: FOR u IN users FILTER u.type == "newbie" && u.active == true RETURN u.name In SQL, taking all differences into account, an equivalent statement would look like this: SELECT u.name FROM users AS u WHERE u.type = "newbie" AND u.active = TRUE Both queries will retrieve the names of active and "newbie" users, in any order. For anyone with some experience in relational databases (SQL) but not very familiar with non-relational (NoSQL) databases, this would be an analogy of the closest fundamental concepts of both worlds: Relational Non-relational Table (fixed schema) Collection (flexible schema) Column (predefined field and type) Attribute (dynamic field and type) Row (flat item with predefined columns) Document (nested object, like JSON) Notes About Keywords and Variables AQL keywords and function names are case insensitive, and new lines or extra white spaces are optional, so this is a fully equivalent query and will return the same results: For u IN users filter u.type == "newbie" && u.active == true return u.name However, variables and collection names in AQL are case sensitive, so this one will fail (because user and USER are different variables): FOR user IN users RETURN USER Also, if any variable or collection name contains special characters (dashes, white spaces, Unicode, etc.), or conflicts with a reserved keyword, these names must be enclosed in backticks, but this can also be optionally done with names that don't strictly need it. For instance: FOR `user` IN users RETURN `user` Comments With the same syntax and behavior supported in many programming languages, AQL supports two types of comments : Single line ( // Comment here… ) Inline or multiline ( /* Comment here… */ ) Unlike other database systems, AQL does not support a double dash ( -- ) or a hash sign ( # ) as comment markers. Also, a multiline comment must always be closed, or the query won't be successfully parsed. AQL Injection The official and public documentation has a dedicated section about injections in the Common Errors in AQL page, which explains the risks, mitigations, and gives some very good examples of injections. If we look at their first example, it will probably look familiar, since this is how the majority of injections happen: // evil! var what = req.params("searchValue"); // user input value from web form // ... var query = "FOR doc IN collection FILTER doc.value == " + what + " RETURN doc"; db._query(query, params).toArray(); As we can see in the above example, the what parameter comes from user input through the searchValue parameter and ends up becoming part of an AQL command through...