Document-Graph Database Vulnerability in SurrealDB by SurrealDB
CVE-2026-49997

5.4MEDIUM

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-49997?

SurrealDB, a collaborative document-graph database, was found to have a vulnerability where the Document::purge_edges function allowed the automatic removal of graph edge records without appropriate permission checks. Specifically, when a connected node was deleted, the system bypassed the edge table's defined permissions for both delete and select operations. This exploited a flaw in the edge record management, potentially leading to unauthorized data access and manipulation. The issue has been remediated in version 3.1.0, which implements stricter permission controls to safeguard against such bypass attempts.

Affected Version(s)

surrealdb < 3.1.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.