Information Disclosure in SurrealDB Affects User Data Privacy
CVE-2026-63309

5.3MEDIUM

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-63309?

SurrealDB versions prior to 3.1.5 exhibit a flaw where field-level SELECT permissions are not enforced correctly in ORDER BY queries. This allows authenticated users to exploit the system and leak the sort order of hidden values in restricted fields. Even when these fields are intended to return null, attackers can issue ORDER BY queries on indexed restricted fields, thereby reconstructing the alignments of forbidden data across records. This vulnerability poses significant risks to user data privacy and could lead to unauthorized exposure of sensitive information.

Affected Version(s)

surrealdb 3.0.0 < 3.1.5

surrealdb 3.1.5

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.