DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HV6H-HC26-Q48P: GHSA-HV6H-HC26-Q48P: Field-level SELECT permissions bypassed via graph and reference traversals in SurrealDB

#security #cve #cybersecurity #ghsa

GHSA-HV6H-HC26-Q48P: Field-level SELECT permissions bypassed via graph and reference traversals in SurrealDB

Vulnerability ID: GHSA-HV6H-HC26-Q48P
CVSS Score: 4.3
Published: 2026-06-19

A security vulnerability exists in SurrealDB's streaming query planner where streaming graph edge traversals or reverse-reference traversals bypass field-level SELECT permissions. This vulnerability allows an authenticated database user with valid, low-privileged credentials holding table-level SELECT permissions to bypass field-level access controls and read highly confidential or restricted fields.

TL;DR

A vulnerability in SurrealDB's streaming query planner allows authenticated, low-privileged users to bypass field-level SELECT permissions and access restricted data by using graph edge or reverse-reference traversals.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network
  • CVSS Score: 4.3 (Medium)
  • EPSS Score: N/A
  • Impact: Confidentiality Bypass (Read-only)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • SurrealDB instances utilizing the default streaming query executor
  • surrealdb: >= 3.1.0, <= 3.1.4 (Fixed in: 3.1.5)

Code Analysis

Commit: ffaf5e3

Correct field permissions and computed fields in resolve_record_batch

@@ -126,6 +129,18 @@ pub(crate) async fn resolve_version_stamp(
+/// SECURITY: when `fetch_full` is `true` the materialised record must go
+/// through the *same* field-level processing as an ordinary table scan...
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to SurrealDB 3.1.5 or newer.
  • Force the legacy compute-only executor to bypass the streaming query planner.
  • Restructure database schemas to enforce access control boundaries at the table level.

Remediation Steps:

  1. Identify vulnerable SurrealDB instances running versions between 3.1.0 and 3.1.4.
  2. If immediate patching is not possible, apply the environment variable SURREAL_PLANNER_STRATEGY=compute-only.
  3. Download and install SurrealDB version 3.1.5 or newer.
  4. Restart the database services with the updated binary.
  5. Verify the remediation by running a graph edge traversal query and ensuring field-level filters are enforced.

References

Read the full report for GHSA-HV6H-HC26-Q48P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)