PT-2026-54773 · Surrealdb · Surrealdb

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-49997

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 3.1.0
Description An authorization bypass exists when deleting node records in a graph. When a node is deleted, the system automatically removes connected edge records via the Document::purge edges function. This process was executed with permissions disabled, allowing a user with node deletion privileges to delete connected edges and observe edge contents that should have been hidden by the PERMISSIONS FOR delete and PERMISSIONS FOR select clauses of the edge table.
Recommendations Update to version 3.1.0 or later. Restrict node DELETE permission to principals trusted to delete all connected edge records. Use namespace or database isolation as the primary boundary where edge-level PERMISSIONS are used for multi-tenant separation.

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49997
GHSA-WHWG-VH4F-PMMF

Affected Products

Surrealdb