PT-2026-60953 · Surrealdb · Surrealdb
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 2.0.5
SurrealDB versions 2.1.x prior to 2.1.5
SurrealDB versions 2.2.x prior to 2.2.2
Description
SurrealDB fails to properly escape table and field names during the command-line export process. An authenticated System User with OWNER or EDITOR roles can create tables or fields with names containing malicious SurrealQL. When a higher-privileged user imports the resulting backup, the injected SurrealQL executes, leading to privilege escalation and root-level takeover of the instance. This issue also exposes applications that allow users to define custom tables or fields to a universal second-order SurrealQL injection, even if query parameters are sanitized.
Recommendations
Update SurrealDB to version 2.0.5.
Update SurrealDB to version 2.1.5.
Update SurrealDB to version 2.2.2.
Fix
LPE
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb