Incorrect Authorization Affecting surrealdb-core package, versions <3.1.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.02% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SURREALDBCORE-17797671
  • published2 Jul 2026
  • disclosed1 Jul 2026
  • creditUnknown

Introduced: 1 Jul 2026

NewCVE-2026-49997  (opens in a new tab)
CWE-285  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade surrealdb-core to version 3.1.0 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Authorization in the automatic removal process of edges when a connected node is deleted. An attacker can bypass access restrictions and view or delete edge records that should be protected by permission clauses by deleting a node to which those edges are connected.

CVSS Base Scores

version 4.0
version 3.1