CVE-2024-58362
Received Received - Intake

Remote Code Execution in SurrealDB

Vulnerability report for CVE-2024-58362, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted users, an unauthenticated attacker can encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials. The subquery is then executed within the database owner's SIGNIN/SIGNUP query under a system user session with the editor role, allowing the attacker to select, create, update, and delete non-IAM resources (though not view the query results directly, and not affect IAM resources, which require the owner role).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 1.5.5 (exc)
surrealdb surrealdb to 2.0.0-beta.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-75 The product does not adequately filter user-controlled input for special elements with control implications.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in SurrealDB before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 allows unauthenticated attackers to inject subqueries via the RPC API's signin and signup operations. By sending a binary object encoded in bincode format containing a subquery instead of credentials, the attacker can execute the subquery within the database owner's signin or signup query. This runs under a system user session with editor role permissions, enabling manipulation of non-IAM resources like selecting, creating, updating, or deleting data.

Detection Guidance

To detect this vulnerability, check if your SurrealDB instance is running a vulnerable version (before 1.5.5 or 2.0.0-beta.3). Inspect network traffic for RPC API requests using non-standard content types like bincode. Monitor for unusual database operations during signin or signup requests.

Impact Analysis

If you use SurrealDB versions before 1.5.5 or 2.0.0-beta before 2.0.0-beta.3 and expose the RPC API to untrusted users, an attacker could exploit this to modify or delete your database records without authentication. This could lead to data loss, unauthorized changes, or corruption of your database contents. The impact is limited to non-IAM resources, so user accounts and permissions remain unaffected.

Compliance Impact

This vulnerability could violate compliance requirements such as GDPR or HIPAA by enabling unauthorized data modification or deletion. GDPR requires protecting personal data integrity, while HIPAA mandates safeguarding protected health information. Exploitation could lead to unauthorized changes, breaching these regulations and potentially resulting in legal penalties or loss of compliance certifications.

Mitigation Strategies

Immediately update SurrealDB to version 1.5.5 or 2.0.0-beta.3 or later. If updating is not possible, restrict access to the RPC API by allowing only JSON content type. Disable the RPC API if it is unused or exposed to untrusted networks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart