CVE-2024-58363
Received Received - Intake

SurrealDB Authentication Bypass via USE Clause

Vulnerability report for CVE-2024-58363, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists, allowing unauthorized actions if permissions rely solely on the $auth parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 1.5.4 (exc)
surrealdb surrealdb to 2.0.0-alpha.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SurrealDB before 1.5.4 fails to validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate another user in a different database if a user record with the same identifier exists, allowing unauthorized actions if permissions rely on the $auth parameter.

Detection Guidance

To detect this vulnerability, check if your SurrealDB version is below 1.5.4. Run the command: surrealdb version. If the version is 1.5.3 or lower, the system is vulnerable. Additionally, review database configurations for user records with identical identifiers across databases.

Impact Analysis

An authenticated attacker could access data or perform actions they shouldn't by impersonating another user in a different database. This is limited to users with matching record identifiers and requires the attacker to have an authenticated session.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized access to personal or sensitive health data if permissions rely solely on the $auth parameter. If an attacker exploits this flaw to impersonate a user in a different database, they may gain access to protected information without proper authentication, violating data protection requirements under these regulations.

Mitigation Strategies

Upgrade SurrealDB to version 1.5.4 or later. If upgrading is not possible, ensure PERMISSIONS clauses verify the $scope parameter or use unique record identifiers across databases. Avoid using incremental or explicitly defined identifiers for users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart