๐Ÿ” CVE Alert

CVE-2026-49997

MEDIUM 5.4

SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0.

CWE CWE-285 CWE-863
Vendor surrealdb
Product surrealdb
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for surrealdb surrealdb

Be the first to know when new medium vulnerabilities affecting surrealdb surrealdb are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

surrealdb / surrealdb
< 3.1.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf github.com: https://github.com/surrealdb/surrealdb/commit/500f4060349580b9cbb9c07b8112a487551c4616 github.com: https://github.com/surrealdb/surrealdb/releases/tag/v3.1.0