CVE-2023-54366 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations on unprotected tables within their authorization scope.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

SurrealDB versions prior to 1.0.1 contained a critical security flaw in its default permission handling mechanism that fundamentally compromised database integrity and access control. This vulnerability stemmed from the system's default table permissions being set to FULL access level instead of the secure NONE state, creating an inherent risk where all database operations including SELECT, CREATE, UPDATE, and DELETE could be executed without explicit authorization. The flaw represented a significant deviation from security best practices and established industry standards for access control implementation.

The technical nature of this vulnerability aligns with CWE-284 Access Control Issues, specifically manifesting as improper access control due to default permission settings that grant excessive privileges. When SurrealDB instances were deployed without explicit permission configuration, the system defaulted to providing full administrative capabilities across all tables within the database scope. This design flaw created a scenario where attackers could exploit the lack of proper authorization checks to perform unrestricted operations on database resources.

The operational impact of this vulnerability was particularly severe given that SurrealDB instances could be publicly exposed without authentication mechanisms. Attackers with mere database access or even unauthenticated users could leverage this weakness to execute arbitrary operations on unprotected tables, effectively bypassing any intended security boundaries. The scope of potential damage expanded significantly when considering that legitimate users might not have explicitly configured their permissions, leaving the system in a dangerously permissive state.

This vulnerability directly maps to several ATT&CK tactics including TA0006 Credential Access and TA0005 Defense Evasion, as attackers could manipulate database contents without detection while potentially establishing persistence through unauthorized data modifications. The lack of explicit permission enforcement created blind spots in the security architecture that adversaries could exploit to gain deeper access to sensitive information and compromise database integrity.

Organizations should implement immediate remediation by upgrading to SurrealDB 1.0.1 or later versions where proper default permissions are enforced with NONE access level. Additional mitigations include implementing explicit permission policies for all tables, enforcing authentication mechanisms, restricting network exposure of database instances, and regularly auditing access controls. The vulnerability highlights the critical importance of secure-by-default configurations and demonstrates how seemingly minor permission defaults can create substantial security risks in database systems.

Responsible

VulnCheck

Reservation

06/22/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!