Skip to main content

SurrealDB CVE-2026-63309

| EUVDEUVD-2026-45215 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-17 VulnCheck
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible, low complexity; authenticated record user required (PR:L); only partial confidentiality via sort-order side channel; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 17, 2026 - 18:33 EUVD
Source Code Evidence Fetched
Jul 17, 2026 - 16:50 vuln.today
Analysis Generated
Jul 17, 2026 - 16:50 vuln.today

DescriptionCVE.org

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records, even though the field itself returns null as intended.

AnalysisAI

SurrealDB versions 3.0.0 through 3.1.4 expose a query-planner authorization bypass that allows authenticated record users to infer the relative sort order of field values protected by field-level SELECT permissions. By issuing ORDER BY queries against indexed restricted fields, an attacker with normal table SELECT access can observe that rows are returned in the hidden field's true sorted order even though the field value itself is correctly redacted to null at projection time. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as record scope user
Delivery
Issue ORDER BY query on indexed restricted field
Exploit
Observe sorted row sequence with null field values
Execution
Correlate row positions against attacker-controlled records with known values
Persist
Narrow hidden values via repeated binary-search queries
Impact
Reconstruct approximate hidden field values

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: the attacker must be an authenticated record (scope) user with table-level SELECT permission; the target table must have a field protected by a DEFINE FIELD ... … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N accurately reflects a bounded confidentiality leak requiring authenticated network access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated record user who cannot read the 'score' field on other users' records issues repeated ORDER BY score ASC/DESC queries combined with controlled WHERE filters on records they own. By observing the position of other records in the sorted output relative to their own known-value records, the attacker iteratively brackets and narrows the hidden score values toward exact figures without ever receiving the field value directly.
Remediation Upgrade to SurrealDB 3.1.5, which is confirmed as the fixed release per the vendor advisory GHSA-h4h3-3rfj-x6fq and the release page at https://github.com/surrealdb/surrealdb/releases/tag/v3.1.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy