Document-Graph Database Vulnerability in SurrealDB by SurrealDB
CVE-2026-49997
5.4MEDIUM
What is CVE-2026-49997?
SurrealDB, a collaborative document-graph database, was found to have a vulnerability where the Document::purge_edges function allowed the automatic removal of graph edge records without appropriate permission checks. Specifically, when a connected node was deleted, the system bypassed the edge table's defined permissions for both delete and select operations. This exploited a flaw in the edge record management, potentially leading to unauthorized data access and manipulation. The issue has been remediated in version 3.1.0, which implements stricter permission controls to safeguard against such bypass attempts.
Affected Version(s)
surrealdb < 3.1.0
