Surrealdb
Monthly
SurrealDB versions 3.0.0 through 3.1.4 expose a query-planner authorization bypass that allows authenticated record users to infer the relative sort order of field values protected by field-level SELECT permissions. By issuing ORDER BY queries against indexed restricted fields, an attacker with normal table SELECT access can observe that rows are returned in the hidden field's true sorted order even though the field value itself is correctly redacted to null at projection time. No public exploit has been identified at time of analysis, and CISA KEV has not listed this vulnerability; however, the attack surface is inherent to any indexed field protected by field-level permissions in affected versions.
SurrealDB versions 3.0.0 through 3.1.4 expose a query-planner authorization bypass that allows authenticated record users to infer the relative sort order of field values protected by field-level SELECT permissions. By issuing ORDER BY queries against indexed restricted fields, an attacker with normal table SELECT access can observe that rows are returned in the hidden field's true sorted order even though the field value itself is correctly redacted to null at projection time. No public exploit has been identified at time of analysis, and CISA KEV has not listed this vulnerability; however, the attack surface is inherent to any indexed field protected by field-level permissions in affected versions.