In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learningUpgrade surrealdb to version 3.1.0-beta.3 or higher.
Affected versions of this package are vulnerable to Incorrect Authorization in the UPDATE ... PATCH process. An attacker can access unauthorized field values by issuing a JSON Patch operation with an empty from parameter, causing protected fields to be duplicated into a new field and bypassing field-level access controls.
This vulnerability can be mitigated by restricting UPDATE ... PATCH operations to users who already have SELECT permission on every field of the target record, or by switching to explicit SET or MERGE clauses, which do not accept JSON Patch operations.