Incorrect Authorization Affecting surrealdb package, versions >=3.1.0 <3.1.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-SURREALDB-17661106
  • published28 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-863  (opens in a new tab)

How to fix?

Upgrade surrealdb to version 3.1.5 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Authorization in the resolve_record_batch process. An attacker can access field values that should be hidden by field-level permissions by performing graph-edge, back-reference, or target-vertex traversals, thereby bypassing intended access controls and exposing confidential data.

Workaround

This vulnerability can be mitigated by forcing the unaffected legacy executor with the --planner-strategy compute-only option (or setting the SURREAL_PLANNER_STRATEGY environment variable), restricting access at the table level instead of relying solely on field-level permissions, or using namespace/database isolation as the primary boundary.

References

CVSS Base Scores

version 4.0
version 3.1