CVE-2023-54366
Received Received - Intake

SurrealDB Default Table Permissions Privilege Escalation

Vulnerability report for CVE-2023-54366, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations on unprotected tables within their authorization scope.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
surrealdb surrealdb to 1.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SurrealDB before version 1.0.1 sets default table permissions to FULL instead of NONE. This allows unauthorized users with database access or those on publicly exposed instances to perform SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. The issue is related to incorrect default permissions and could enable attackers to manipulate data within their authorization scope.

Detection Guidance

Check SurrealDB version with: surreal version. If version is below 1.0.1, the system is vulnerable. Inspect table permissions using: INFO FOR DB; look for tables with FULL permissions. Check for publicly exposed instances by reviewing network configurations and API endpoints.

Impact Analysis

Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations on unprotected tables. This includes reading, modifying, or deleting data, potentially leading to data breaches, data loss, or unauthorized data manipulation. Systems with guest access via HTTP REST or WebSocket APIs are particularly vulnerable.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR, HIPAA, and other regulations by enabling unauthorized access to sensitive data. It risks exposing personal or protected health information, violating data protection requirements for confidentiality, integrity, and availability of data.

Mitigation Strategies

Upgrade SurrealDB to version 1.0.1 or later immediately. If upgrading is not possible, explicitly set table permissions to NONE using the PERMISSIONS clause. Disable guest access if not required. Restrict network exposure of SurrealDB instances to trusted networks only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart