CVE-2024-58367 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references to leak protected field contents despite lacking SELECT permissions.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability represents a critical access control flaw in SurrealDB versions prior to 2.0.4 where the database fails to properly enforce field-level permissions during core database operations. The issue manifests specifically during SELECT UPDATE and DELETE operations where authorized users can bypass intended access restrictions through multiple query techniques that exploit weaknesses in the permission enforcement mechanism. This vulnerability directly impacts the principle of least privilege and can be categorized under CWE-284 Access Control Issues, representing a failure to properly implement field-level authorization controls.
The technical exploitation occurs through several distinct pathways that circumvent normal permission checks. SELECT VALUE operations allow attackers to extract individual field values without proper authorization by bypassing the standard row-level access controls. Field aliasing techniques enable unauthorized data extraction by renaming fields in queries to avoid permission validation. Function arguments within queries can reference protected fields even when the user lacks direct access permissions. WHERE clause filtering operations may inadvertently expose protected field data through comparative queries that reveal information about restricted values. RETURN BEFORE clauses and SET clause references provide additional attack vectors where protected field contents can be leaked during update operations, allowing attackers to infer sensitive data without explicit permission.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential data integrity compromise and unauthorized information disclosure. Attackers can systematically map out database schemas and extract sensitive information through repeated queries that leverage these permission bypass techniques. This vulnerability enables reconnaissance activities where threat actors can determine the existence and structure of protected fields, potentially leading to more sophisticated attacks targeting specific data elements. The cumulative effect of these bypass mechanisms creates a pathway for attackers to gather comprehensive information about database contents without proper authorization.
Mitigation strategies should focus on implementing comprehensive field-level permission enforcement across all query operations within SurrealDB. Organizations must upgrade to version 2.0.4 or later where the field permission enforcement has been properly implemented and validated. Database administrators should implement strict access controls and regularly audit field-level permissions to ensure that users only have access to data necessary for their operational functions. Additional protective measures include implementing query auditing, monitoring for unusual SELECT VALUE operations, and establishing network-level controls to limit database access. This vulnerability aligns with ATT&CK technique T1078 Valid Accounts and T1566 Phishing to gain access, as unauthorized access through permission bypass can lead to broader system compromise. The remediation approach should also include implementing automated scanning tools to detect potential exploitation attempts and establishing security monitoring procedures specifically designed to identify these field-level permission bypass techniques.
The vulnerability demonstrates how insufficient input validation and access control implementation in database systems can create persistent security risks that may remain undetected for extended periods. Organizations relying on SurrealDB must conduct comprehensive security assessments of their database environments to identify potential exploitation opportunities. Regular penetration testing should include specific checks for field-level permission bypass techniques, particularly focusing on the query constructs mentioned in the vulnerability description. Security teams should also implement proper incident response procedures that account for field-level data exposure scenarios and establish clear protocols for investigating unauthorized access attempts through these specific mechanisms.