Skip to main content

SurrealDB EUVDEUVD-2026-44713

| CVE-2026-49997 MEDIUM
Improper Authorization (CWE-285)
2026-07-01 https://github.com/surrealdb/surrealdb GHSA-whwg-vh4f-pmmf
5.4
CVSS 3.1 · Vendor: https://github.com/surrealdb/surrealdb
Share

Severity by source

Vendor (https://github.com/surrealdb/surrealdb) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible with low-privilege auth required; limited C/I from unauthorized edge observation and deletion; no availability impact or scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/surrealdb/surrealdb).

CVSS VectorVendor: https://github.com/surrealdb/surrealdb

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 20:51 vuln.today

DescriptionCVE.org

In SurrealDB, records can be connected as a graph: a RELATE statement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent.

A user with permission to delete a node could also delete the edges connected to that node, even when the edge table's PERMISSIONS FOR delete clause should have stopped them.

The automatic edge removal (Document::purge_edges) ran with permissions disabled (opt.clone().with_perms(false)), so the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses were never consulted. The removal step could also observe edge state that the edge's SELECT clause should have hidden.

Impact

What an attacker can do:

  • Delete any edge connected to a node they can delete, regardless of the edge table's PERMISSIONS FOR delete clause.
  • Observe edge contents that PERMISSIONS FOR select should have hidden, as a side effect of the same edge-removal step.

What it can't do:

  • Delete nodes on tables they do not hold DELETE on (the edge removal only runs from an authorised node delete).
  • Cross namespace or database isolation boundaries.
  • Escalate to root or operator-level privileges.

Patches

Document::purge_edges now propagates the caller's permission context into the edge removal. Each connected edge DELETE is evaluated against the edge table's PERMISSIONS FOR delete clause, matching a direct DELETE.

Versions 3.1.0 and later are not affected.

Workarounds

  • Restrict node DELETE permission to principals trusted to delete all connected edge records.
  • Use namespace or database isolation as the primary boundary where edge-level PERMISSIONS is load-bearing for multi-tenant separation.

AnalysisAI

SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the Document::purge_edges routine fires with permissions explicitly disabled (opt.clone().with_perms(false)), meaning the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses are never consulted. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege SurrealDB credentials
Delivery
Issue DELETE on an authorized node record
Exploit
Auto-purge triggers `Document::purge_edges` with permissions disabled
Execution
Edge DELETE bypasses PERMISSIONS FOR delete on edge table
Persist
Edge SELECT bypass exposes hidden edge contents
Impact
Unauthorized edge records deleted and relationship data observed

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated SurrealDB session with DELETE permission on at least one node table. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) accurately reflects the limited-but-real impact: low-privilege authenticated network access, no interaction required, constrained confidentiality and integrity impact, no availability component, and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated SurrealDB user with low-privilege DELETE access on a node table issues a `DELETE` statement against a node record. SurrealDB's automatic graph consistency routine fires and removes all connected edge records without consulting the edge table's permission clauses. …
Remediation Upgrade SurrealDB to version 3.1.0 or later, which patches `Document::purge_edges` to propagate the caller's permission context so that each connected edge DELETE is evaluated against the edge table's `PERMISSIONS FOR delete` clause. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy