CVE-2026-63309 in SurrealDBinformación

Resumen

por MITRE • 2026-07-17

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records, even though the field itself returns null as intended.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsable

VulnCheck

Reservar

2026-07-16

Divulgación

2026-07-17

Moderación

aceptado

Artículo

VDB-379869

CPE

listo

EPSS

0.00000

KEV

no

Actividades

bajo

Fuentes

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!