CVE-2024-58367
SurrealDB before 2.0.4 Improper Authorization via SELECT Permissions
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references to leak protected field contents despite lacking SELECT permissions.
| CWE | CWE-285 |
| Vendor | surrealdb |
| Product | surrealdb |
| Published | Jul 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for surrealdb surrealdb
Be the first to know when new unknown vulnerabilities affecting surrealdb surrealdb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
surrealdb / surrealdb
0 < 2.0.4
surrealdb / surrealdb
0 < 2.0.4
References
Credits
๐ 5hanth ๐ Xkonti