Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 1.0.1 SurrealDB version 1.1.0-beta.1 and earlier nightly releases are not affected as they already include the patch.

Description The issue arises from default table permissions in SurrealDB being set to FULL instead of NONE, allowing any client authorized to query data to have full access to tables without explicit permissions. This is particularly concerning for instances with guest access and publicly exposed interfaces, such as HTTP REST API or WebSocket API, as remote unauthenticated users may gain full access to unprotected tables. Tables defined with explicit permissions using the PERMISSIONS clause are not affected.

Recommendations For SurrealDB versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround for unpatched versions, explicitly define table permissions using the PERMISSIONS clause, such as DEFINE TABLE secure PERMISSIONS NONE; or DEFINE TABLE secure PERMISSIONS FOR SELECT, CREATE, UPDATE, DELETE NONE;. Consider restricting access to tables without explicit permissions to minimize the risk of exploitation until the issue is resolved.