Information Disclosure in SurrealDB Affects User Data Privacy
CVE-2026-63309
5.3MEDIUM
What is CVE-2026-63309?
SurrealDB versions prior to 3.1.5 exhibit a flaw where field-level SELECT permissions are not enforced correctly in ORDER BY queries. This allows authenticated users to exploit the system and leak the sort order of hidden values in restricted fields. Even when these fields are intended to return null, attackers can issue ORDER BY queries on indexed restricted fields, thereby reconstructing the alignments of forbidden data across records. This vulnerability poses significant risks to user data privacy and could lead to unauthorized exposure of sensitive information.
Affected Version(s)
surrealdb 3.0.0 < 3.1.5
surrealdb 3.1.5
