Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.1.4

Description The issue concerns the OVERWRITE clause of the DEFINE TABLE statement, which fails to overwrite data for tables defined with TYPE RELATION. This failure affects the PERMISSIONS clause, potentially leading users to believe they have changed table permissions when they have not. As a result, a client authorized to run queries in a SurrealDB server may access certain data in a specific table that they were not intended to access after the specified change in permissions.

Recommendations For versions prior to 2.1.4, users are advised to verify that the intended permissions are in place using the INFO FOR DB statement. If updating permissions in a table with TYPE RELATION is required, affected users will need to remove the table and define it from scratch with the intended permissions, preserving data by backing it up to a temporary table.