CVE-2026-63309 in SurrealDBinfo

Summary

by MITRE • 07/17/2026

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records, even though the field itself returns null as intended.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

This vulnerability in SurrealDB versions prior to 3.1.5 represents a critical access control flaw that undermines the database's field-level permissions system. The issue specifically affects the ORDER BY functionality where the database fails to properly enforce SELECT permissions on restricted fields during sorting operations. This creates a scenario where authenticated users can indirectly access information that should be protected through the field-level access controls, effectively bypassing the intended security boundaries.

The technical implementation flaw stems from an incomplete permission check during query execution phases. When users issue ORDER BY clauses on indexed fields that are restricted by SELECT permissions, the database correctly prevents direct retrieval of those field values through regular SELECT statements. However, the ordering mechanism does not properly validate whether the user has adequate permissions to determine the relative sort order of restricted data. This creates a side-channel attack vector where attackers can infer information about the hidden values based on how they are ordered in the result set.

The operational impact of this vulnerability extends beyond simple information disclosure, as it allows for sophisticated data reconstruction attacks through pattern analysis and statistical inference. An attacker with access to the database can construct multiple ORDER BY queries against restricted fields and observe the resulting sort orders across different record sets. This enables them to build a mapping of how restricted values relate to each other in terms of their relative ordering, effectively reconstructing portions of the hidden data without direct access to the field contents.

This vulnerability aligns with CWE-284 Access Control Issues, specifically concerning insufficient permissions enforcement during query execution phases. The flaw also corresponds to ATT&CK technique T1213 Data from Information Repositories, as it allows for unauthorized extraction of data through indirect means. The issue particularly affects databases that rely on field-level access controls for sensitive information protection, where the assumption is that restricted fields cannot be accessed through any query mechanism, including sorting operations.

Organizations using SurrealDB should immediately implement the patch version 3.1.5 or later to address this vulnerability. Additionally, security teams should conduct thorough audits of their database access control configurations and review existing ORDER BY queries for potentially sensitive fields. Implementing monitoring for unusual ORDER BY patterns and establishing proper field-level permission reviews can help detect potential exploitation attempts. The mitigation strategy should also include regular security assessments of database query interfaces to ensure that all access control mechanisms function properly across different query types and execution paths, preventing similar side-channel vulnerabilities from emerging in other database operations.

Responsible

VulnCheck

Reservation

07/16/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!