Back to overview

CVE-2024-58367

HIGH
7.1
CVSS 4.0
Description
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references to leak protected field contents despite lacking SELECT permissions.

Metadata

CVE ID
CVE-2024-58367
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-18 12:40 UTC
Published
2026-07-18 13:10 UTC
Last updated
2026-07-18 13:10 UTC
Primary CWE
CWE-285
Improper Authorization
Vendor / Product
surrealdb / surrealdb
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (2)
VendorProductPlatformVersions
surrealdb surrealdb 0 < 2.0.4, 2.0.4
surrealdb surrealdb 0 < 2.0.4, 2.0.4
Weakness (CWE)
CWESourceDescription
CWE-285 cna Improper Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References (2)
Back to overview