Permission Bypass in SurrealDB by SurrealDB Team
CVE-2024-58356

2.3LOW

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2024-58356?

Versions of SurrealDB prior to 2.1.4 exhibit a vulnerability in the handling of table definitions when the DEFINE TABLE ... OVERWRITE clause is utilized on tables of TYPE RELATION. If an administrator attempts to change permissions on a table, the system may fail to apply these changes, leading to a situation where previously restricted data remains accessible to users authorized to run queries. This oversight can result in unintended data exposure, as the permissions adjustments do not take effect, thus potentially compromising the security of sensitive information.

Affected Version(s)

surrealdb 0 < 2.1.4

surrealdb 0 < 2.1.4

surrealdb 2.1.4

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

AlbertMarashi
.