Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 1.5.4 SurrealDB versions prior to 2.0.0-alpha.6

Description The issue arises when an authenticated scope user switches working databases in a session using the use method or USE clause. If a user record with an identical identifier exists in the new database, the user may perform actions under the identity of the unrelated user. This issue does not affect system users and is mitigated if the PERMISSIONS clause checks for a unique scope or certain claims of the authentication token. The impact is limited to the single user with a matching record identifier.

Recommendations For SurrealDB versions prior to 1.5.4, update to version 1.5.4 or later to resolve the issue. For SurrealDB versions prior to 2.0.0-alpha.6, update to version 2.0.0-alpha.6 or later to resolve the issue. As a temporary workaround, ensure that table PERMISSIONS clauses explicitly check that the $scope parameter matches a scope that is uniquely named across databases in the same SurrealDB instance. Additionally, ensure that record identifiers for users are automatically generated or explicitly generated to be unique across databases to mitigate this issue.