In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learningUpgrade surrealdb to version 3.1.5 or higher.
Affected versions of this package are vulnerable to Incorrect Authorization in the resolve_record_batch process. An attacker can access field values that should be hidden by field-level permissions by performing graph-edge, back-reference, or target-vertex traversals, thereby bypassing intended access controls and exposing confidential data.
This vulnerability can be mitigated by forcing the unaffected legacy executor with the --planner-strategy compute-only option (or setting the SURREAL_PLANNER_STRATEGY environment variable), restricting access at the table level instead of relying solely on field-level permissions, or using namespace/database isolation as the primary boundary.