Insecure Default Table Permissions in SurrealDB
CVE-2023-54366
8.7HIGH
What is CVE-2023-54366?
The vulnerability in SurrealDB prior to version 1.0.1 stems from its default configuration, which erroneously sets table permissions to FULL instead of NONE. This oversight allows users—whether authenticated or not—to execute critical database operations such as SELECT, CREATE, UPDATE, and DELETE on tables lacking appropriate protections. Consequently, both authenticated users with database access and unauthenticated individuals on improperly secured instances are at risk of conducting unrestricted actions within their authorization limits, potentially leading to data breaches or unauthorized modifications.
Affected Version(s)
surrealdb 0 < 1.0.1
surrealdb 1.0.1
