PT-2026-60947 · Surrealdb · Surrealdb
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 2.0.4
Description
Authorized users can bypass field permissions during SELECT, UPDATE, and DELETE operations to access unauthorized field values. This is achieved through various query techniques, including the use of SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references, which allow the leakage of protected field contents even when SELECT permissions are absent.
Recommendations
Update SurrealDB to version 2.0.4 or later.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb