Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible, low complexity; authenticated record user required (PR:L); only partial confidentiality via sort-order side channel; no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records, even though the field itself returns null as intended.
AnalysisAI
SurrealDB versions 3.0.0 through 3.1.4 expose a query-planner authorization bypass that allows authenticated record users to infer the relative sort order of field values protected by field-level SELECT permissions. By issuing ORDER BY queries against indexed restricted fields, an attacker with normal table SELECT access can observe that rows are returned in the hidden field's true sorted order even though the field value itself is correctly redacted to null at projection time. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: the attacker must be an authenticated record (scope) user with table-level SELECT permission; the target table must have a field protected by a DEFINE FIELD ... … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N accurately reflects a bounded confidentiality leak requiring authenticated network access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated record user who cannot read the 'score' field on other users' records issues repeated ORDER BY score ASC/DESC queries combined with controlled WHERE filters on records they own. By observing the position of other records in the sorted output relative to their own known-value records, the attacker iteratively brackets and narrows the hidden score values toward exact figures without ever receiving the field value directly. |
| Remediation | Upgrade to SurrealDB 3.1.5, which is confirmed as the fixed release per the vendor advisory GHSA-h4h3-3rfj-x6fq and the release page at https://github.com/surrealdb/surrealdb/releases/tag/v3.1.5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45215