CVE-2024-58358 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owner users to define users with nonexistent roles. Attackers can trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists within SurrealDB prior to version 2.1.0 and represents a critical denial of service flaw that stems from inadequate validation during role assignment processes. The core technical issue occurs when privileged owner users create accounts with references to roles that do not actually exist within the system configuration. This design flaw allows for the creation of user accounts that reference non-existent role identifiers, which creates a dangerous state where legitimate authentication attempts can trigger system failures. The vulnerability specifically manifests when an authenticated user attempts to log in with credentials assigned to an invalid role, causing the database server to encounter an unhandled exception that results in an immediate crash and service interruption.
The operational impact of this vulnerability extends beyond simple service disruption as it provides attackers with a reliable method for causing persistent system outages. When a user attempts authentication with a nonexistent role reference, the SurrealDB server experiences an uncaught panic condition that terminates the process entirely rather than gracefully handling the invalid state. This behavior violates fundamental principles of robust system design and fault tolerance, as the database fails catastrophically instead of implementing proper error handling mechanisms. The vulnerability is particularly concerning because it requires only minimal privileges to exploit - specifically access to create user accounts with invalid role references, which is typically restricted to privileged owner users within the system.
From a cybersecurity perspective, this vulnerability aligns with CWE-472 Unprotected Primary Resource and CWE-691 Insufficient Control Flow Management patterns, as it represents an unprotected resource that fails to properly control program flow when encountering invalid inputs. The ATT&CK framework categorizes this under T1499.004 Component Firmware, specifically targeting the database service layer where system availability is compromised through malformed authentication requests. The vulnerability demonstrates poor input validation and error handling practices that violate security best practices for maintaining system stability and resilience against malicious exploitation attempts.
The recommended mitigation strategy involves upgrading to SurrealDB version 2.1.0 or later, which implements proper validation checks during role assignment processes to prevent the creation of user accounts referencing non-existent roles. Additionally, organizations should implement comprehensive input validation at multiple levels including authentication handlers, role management interfaces, and database schema validation routines. System administrators should also establish monitoring protocols to detect unusual authentication patterns that might indicate attempted exploitation, while implementing proper error handling mechanisms that prevent system crashes from uncaught exceptions. Network segmentation and access control measures can further reduce the impact by limiting which users can create new accounts with potentially invalid role assignments, thereby reducing the attack surface for this particular vulnerability.