CVE-2024-58363 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists, allowing unauthorized actions if permissions rely solely on the $auth parameter.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

This vulnerability affects SurrealDB versions prior to 1.5.4 and represents a critical authentication bypass flaw that undermines the database's security model. The issue stems from improper validation during database switching operations when users employ the USE clause or use method to transition between different databases within the same session. When a scope user switches databases, the system fails to properly verify whether the authenticated user has legitimate access rights to the target database, creating a path for privilege escalation attacks.

The technical flaw manifests when an attacker with an authenticated session can exploit a race condition or logic error in the authentication validation process. Specifically, when switching databases using the USE command, the system does not adequately check if the current user possesses appropriate permissions for the target database context. This allows attackers to impersonate users from different databases who share identical identifiers, effectively bypassing the normal access control mechanisms that should prevent such cross-database privilege escalation.

The operational impact of this vulnerability is significant as it enables unauthorized actions within target databases without proper authentication. An attacker can leverage this flaw to execute operations that would normally be restricted to legitimate database users with appropriate permissions. Since the vulnerability relies on the $auth parameter for permission checks, attackers can manipulate their session context to gain access to resources they should not legitimately possess, potentially leading to data theft, modification, or deletion across multiple database instances.

This vulnerability aligns with CWE-285 which addresses improper authorization in authentication systems, and maps to ATT&CK technique T1078 for valid accounts and privilege escalation. The flaw essentially creates a scenario where legitimate session tokens can be used to access unauthorized database contexts, effectively undermining the principle of least privilege that should govern database access controls.

Mitigation strategies should focus on implementing proper database context validation during switching operations, ensuring that authentication checks occur at every database transition point regardless of session state. Database administrators should immediately upgrade to SurrealDB 1.5.4 or later versions where this vulnerability has been addressed through enhanced authentication validation mechanisms. Additionally, organizations should implement monitoring for unusual database switching patterns and consider implementing more granular access controls that do not rely solely on the $auth parameter for permission enforcement. The fix likely involves strengthening the authentication validation logic to verify both user identity and database access permissions at the moment of context switching rather than relying on cached authentication state.

Responsible

VulnCheck

Reservation

07/18/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!