CVE-2024-58367 PUBLISHED

SurrealDB before 2.0.4 Improper Authorization via SELECT Permissions

Assigner: VulnCheck
Reserved: 18.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references to leak protected field contents despite lacking SELECT permissions.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.0.4 (excl.)
  • Version 2.0.4 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.0.4 (excl.)
  • Version 2.0.4 is unaffected

Credits

  • 5hanth reporter
  • Xkonti reporter

References

Problem Types

  • Improper Authorization CWE