Insecure Default Table Permissions in SurrealDB
CVE-2023-54366

8.7HIGH

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2023-54366?

The vulnerability in SurrealDB prior to version 1.0.1 stems from its default configuration, which erroneously sets table permissions to FULL instead of NONE. This oversight allows users—whether authenticated or not—to execute critical database operations such as SELECT, CREATE, UPDATE, and DELETE on tables lacking appropriate protections. Consequently, both authenticated users with database access and unauthenticated individuals on improperly secured instances are at risk of conducting unrestricted actions within their authorization limits, potentially leading to data breaches or unauthorized modifications.

Affected Version(s)

surrealdb 0 < 1.0.1

surrealdb 1.0.1

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

LucyEgan
.