PT-2026-60942 · Surrealdb · Surrealdb

·

CVE-2024-58362

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 1.5.5 SurrealDB versions 2.0.0-beta through 2.0.0-beta.2
Description The RPC API accepts arbitrary objects in the signin and signup operations without recursively validating them for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted users, an unauthenticated attacker can use the bincode serialization format to supply a binary object containing a subquery instead of credentials. This subquery is executed within the database owner's query under a system user session with the editor role, enabling the attacker to select, create, update, and delete non-IAM resources. The attacker cannot view query results directly or affect IAM (Identity and Access Management) resources, as those require the owner role.
Recommendations Update SurrealDB to version 1.5.5. Update SurrealDB to version 2.0.0-beta.3.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2024-58362

Affected Products

Surrealdb