Home
Home
Trends
Trends
Vulnerabilities
Vulnerabilities
News
News
Researchers
Researchers
Why dbugs?
Why dbugs?
Settings

Raphaeldarley

#30449of 54,864
8.8Total CVSS
Vulnerabilities · 1
PT-2026-60942
8.8
2026-07-18
Surrealdb · Surrealdb · CVE-2024-58362
**Name of the Vulnerable Software and Affected Versions** SurrealDB versions prior to 1.5.5 SurrealDB versions 2.0.0-beta through 2.0.0-beta.2 **Description** The RPC API accepts arbitrary objects in the signin and signup operations without recursively validating them for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted users, an unauthenticated attacker can use the bincode serialization format to supply a binary object containing a subquery instead of credentials. This subquery is executed within the database owner's query under a system user session with the editor role, enabling the attacker to select, create, update, and delete non-IAM resources. The attacker cannot view query results directly or affect IAM (Identity and Access Management) resources, as those require the owner role. **Recommendations** Update SurrealDB to version 1.5.5. Update SurrealDB to version 2.0.0-beta.3.