PT-2026-60942 · Surrealdb · Surrealdb
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 1.5.5
SurrealDB versions 2.0.0-beta through 2.0.0-beta.2
Description
The RPC API accepts arbitrary objects in the signin and signup operations without recursively validating them for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted users, an unauthenticated attacker can use the bincode serialization format to supply a binary object containing a subquery instead of credentials. This subquery is executed within the database owner's query under a system user session with the editor role, enabling the attacker to select, create, update, and delete non-IAM resources. The attacker cannot view query results directly or affect IAM (Identity and Access Management) resources, as those require the owner role.
Recommendations
Update SurrealDB to version 1.5.5.
Update SurrealDB to version 2.0.0-beta.3.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb