CVE-2024-58362 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted users, an unauthenticated attacker can encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials. The subquery is then executed within the database owner's SIGNIN/SIGNUP query under a system user session with the editor role, allowing the attacker to select, create, update, and delete non-IAM resources (though not view the query results directly, and not affect IAM resources, which require the owner role).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability represents a critical server-side request forgery and code execution flaw in SurrealDB versions prior to 1.5.5 and 2.0.0-beta.3, fundamentally compromising database security through improper input validation in authentication operations. The issue stems from insufficient recursive validation of objects submitted through the RPC API's signin and signup endpoints, allowing attackers to bypass normal authentication mechanisms by injecting malicious serialized data structures.
The technical exploitation occurs when an attacker crafts a binary object using the bincode serialization format and submits it as credentials during authentication attempts. This object contains embedded subqueries that bypass standard validation checks because the system only validates top-level fields without recursively examining nested structures. When the database processes these objects through defined SIGNIN or SIGNUP queries, the serialized subqueries execute within the context of a system user session with editor privileges rather than guest access.
The operational impact of this vulnerability extends beyond simple authentication bypass to encompass full data manipulation capabilities within the database. Attackers can perform select operations to enumerate non-IAM resources, create new records, update existing data, and delete information without proper authorization. However, the attack is constrained by the editor role's limitations, preventing direct access to query results and complete IAM resource manipulation. This creates a sophisticated attack vector that aligns with CWE-20 "Improper Input Validation" and follows ATT&CK technique T1078.004 "Valid Accounts: SSH Keys" through unauthorized session elevation.
The vulnerability specifically targets database access methods that define custom authentication logic, making it particularly dangerous in environments where organizations rely on custom SIGNIN/SIGNUP queries for business logic integration. The exposure occurs when RPC APIs are accessible to untrusted users, creating an attack surface that enables remote exploitation without requiring prior authentication credentials or network proximity. Organizations implementing SurrealDB with exposed administrative APIs face significant risk of data compromise and unauthorized system manipulation through this vector.
Mitigation strategies should focus on immediate version upgrades to patched releases while implementing additional defensive measures including network segmentation to limit RPC API exposure, implementing strict input validation at all levels of the application stack, and employing principle of least privilege configurations for authentication query execution. Organizations should also consider monitoring for unusual authentication patterns and implementing automated patch management processes to prevent similar vulnerabilities from persisting in their environments. The vulnerability demonstrates the critical importance of recursive validation in serialized object processing and highlights the need for comprehensive security testing of database API endpoints that handle user-supplied data structures.