PT-2026-54773 · Surrealdb · Surrealdb
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-49997
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 3.1.0
Description
An authorization bypass exists when deleting node records in a graph. When a node is deleted, the system automatically removes connected edge records via the
Document::purge edges function. This process was executed with permissions disabled, allowing a user with node deletion privileges to delete connected edges and observe edge contents that should have been hidden by the PERMISSIONS FOR delete and PERMISSIONS FOR select clauses of the edge table.Recommendations
Update to version 3.1.0 or later.
Restrict node
DELETE permission to principals trusted to delete all connected edge records.
Use namespace or database isolation as the primary boundary where edge-level PERMISSIONS are used for multi-tenant separation.Fix
Incorrect Authorization
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Surrealdb