CVE-2024-58356 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, and the administrator may incorrectly believe the change was applied. As a result, a client authorized to run queries may continue to access data in that table that the updated (but unapplied) permissions were intended to restrict.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability affects SurrealDB versions prior to 2.1.4 and represents a critical authorization bypass issue stemming from improper handling of table definition overwrites. The flaw manifests when administrators attempt to modify table definitions using the DEFINE TABLE ... OVERWRITE clause on tables configured with TYPE RELATION. The system silently fails to properly overwrite these table definitions, creating a dangerous inconsistency between the intended configuration and actual operational state. This behavior directly violates the principle of least privilege and can lead to unauthorized data access.
The technical root cause lies in the database's handling of table definition updates when the OVERWRITE clause is employed specifically on RELATION-type tables. When administrators define permissions within table definitions, these permission settings become part of the table schema structure. However, the overwrite mechanism fails to properly process and apply these permission changes, resulting in a scenario where the system appears to accept the configuration update while silently retaining the original permission settings. This creates a false sense of security for database administrators who believe their permission modifications have been successfully implemented.
The operational impact of this vulnerability is severe as it allows attackers or authorized users to maintain access to data that should be restricted according to updated permissions. An attacker who has legitimate query execution privileges on a table could continue accessing sensitive data even after administrators attempt to tighten security through permission overwrites. This represents a clear violation of data integrity and confidentiality principles, as the system fails to enforce the intended access controls. The silent failure mode makes this vulnerability particularly dangerous because it operates without any error messages or warnings that would alert administrators to the failed permission updates.
This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-703 (Improper Check for Exceptional Conditions), as it demonstrates both inadequate access control enforcement and failure to properly handle exceptional conditions during configuration updates. From an ATT&CK framework perspective, this issue maps to T1078 (Valid Accounts) and T1566 (Phishing) as it can enable persistent unauthorized access through legitimate user accounts. The vulnerability also relates to T1484 (Domain Policy Modification) since it affects the enforcement of security policies defined at the table level.
Administrative mitigations include immediate upgrade to SurrealDB version 2.1.4 or later where this issue has been resolved. System administrators should conduct comprehensive audits of all RELATION-type tables to identify any permission inconsistencies that may have occurred due to previous overwrites. Additionally, implementing monitoring solutions to detect when table definitions are modified and verifying the actual effective permissions through manual checks can help identify potential issues before they result in security breaches. Organizations should also consider implementing automated testing procedures for permission changes to ensure that overwrite operations function correctly and that intended access restrictions are properly enforced.