PT-2026-60947 · Surrealdb · Surrealdb

·

CVE-2024-58367

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.0.4
Description Authorized users can bypass field permissions during SELECT, UPDATE, and DELETE operations to access unauthorized field values. This is achieved through various query techniques, including the use of SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references, which allow the leakage of protected field contents even when SELECT permissions are absent.
Recommendations Update SurrealDB to version 2.0.4 or later.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2024-58367

Affected Products

Surrealdb