Back to overview

CVE-2023-54366

HIGH
8.8
CVSS 3.1
Description
SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations on unprotected tables within their authorization scope.

Metadata

CVE ID
CVE-2023-54366
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-22 21:54 UTC
Published
2026-07-18 13:10 UTC
Last updated
2026-07-18 13:10 UTC
Primary CWE
CWE-276
Incorrect Default Permissions
Vendor / Product
surrealdb / surrealdb
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
surrealdb surrealdb 0 < 1.0.1, 1.0.1
Weakness (CWE)
CWESourceDescription
CWE-276 cna Incorrect Default Permissions
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (2)
Back to overview