RPC API Vulnerability in SurrealDB Affects User Authentication Processes
CVE-2024-58362

8.7HIGH

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2024-58362?

SurrealDB versions prior to 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 are susceptible to a query injection vulnerability. The issue arises from the RPC API's acceptance of arbitrary objects during the signin and signup processes without thorough validation of non-computed values. This flaw permits an unauthorized attacker to craft a binary object embedded with a subquery using the bincode serialization format. When this object is submitted in place of user credentials during the authentication process, it is executed under the permissions of a system user session with the editor role. Consequently, the attacker attains the ability to manipulate non-IAM resources, enabling actions such as selection, creation, updating, and deletion of these resources, while IAM resources remain unaffected. This significant security gap underscores the need for immediate remediation and enhanced validation mechanisms within the authentication workflows.

Affected Version(s)

surrealdb 0 < 1.5.5, 2.0.0-beta.3

surrealdb 0 < 1.5.2

surrealdb 1.5.5, 2.0.0-beta.3

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

RaphaelDarley
.