CVE-2026-49997 in SurrealDBinfo

Summary

by MITRE • 07/15/2026

SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in SurrealDB affects the Document::purge_edges functionality within the core database engine, specifically in the file surrealdb/core/src/doc/delete.rs. This flaw represents a critical permission bypass issue that undermines the database's access control mechanisms. The vulnerability exists prior to version 3.1.0 and stems from how the system handles graph edge record deletion when nodes are removed from the database. When a node is deleted, the purge_edges function automatically removes connected graph edges without properly enforcing the edge table's defined permission constraints.

The technical implementation of this vulnerability involves the opt.clone().with_perms(false) operation which disables permission checking for the edge records being purged. This design flaw allows unauthorized deletion of graph edges that should be protected by the PERMISSIONS FOR delete and PERMISSIONS FOR select clauses defined at the edge table level. The bypass occurs because the system fails to respect the granular access controls that should govern edge record operations, effectively granting all users the ability to remove graph connections regardless of their assigned permissions.

The operational impact of this vulnerability is significant as it compromises the integrity of the database's graph relationships and access control policies. An attacker with sufficient privileges to delete nodes could potentially exploit this flaw to remove graph edges that should be protected by specific permission rules, leading to data corruption or unauthorized modification of relationship structures. This affects not only the security posture but also the reliability of graph-based queries that depend on consistent edge connectivity. The vulnerability creates a scenario where the database's permission system becomes effectively bypassed during node deletion operations, undermining the fundamental principle of least privilege.

This issue aligns with CWE-284 (Improper Access Control) and represents a specific instance of permission enforcement failure in database systems. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it could be exploited by attackers who gain legitimate access to delete operations but then use the bypass to escalate their privileges or manipulate data relationships. The fix implemented in version 3.1.0 addresses this by ensuring that edge deletion operations properly respect the defined permission constraints, requiring proper authorization checks before removing graph connections.

Organizations using SurrealDB should immediately upgrade to version 3.1.0 or later to remediate this vulnerability. Additionally, administrators should review existing edge table permissions to ensure that appropriate access controls are in place and monitor for any unauthorized modifications to graph relationships that might indicate exploitation attempts. The fix demonstrates the importance of maintaining proper separation between data operations and permission enforcement mechanisms within distributed database systems, particularly those handling complex graph structures where relationship integrity is paramount to system security.

Responsible

GitHub M

Reservation

06/02/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!