CVE-2026-63309
Received Received - Intake

SurrealDB Field-Level SELECT Permission Bypass via ORDER BY

Vulnerability report for CVE-2026-63309, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records, even though the field itself returns null as intended.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb From 3.0.0 (inc) to 3.1.4 (inc)
surrealdb surrealdb to 3.1.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SurrealDB before version 3.1.5 fails to enforce field-level SELECT permissions on ORDER BY clauses. This allows authenticated users to infer the relative ordering of restricted field values even when those fields return null. Attackers can issue ORDER BY queries on indexed restricted fields to determine the sort order of hidden values across records, potentially revealing sensitive information indirectly.

Detection Guidance

To detect this vulnerability, check if your SurrealDB version is between 3.0.0 and 3.1.4. Run the command: surrealdb version. If the version is within this range, the system may be vulnerable. Additionally, test for field-level permission bypass by issuing ORDER BY queries on restricted fields and observing if null values are returned but sorted according to hidden values.

  • Check SurrealDB version: surrealdb version
  • Test ORDER BY on restricted fields: SELECT * FROM table ORDER BY restricted_field
Impact Analysis

If you use SurrealDB versions 3.0.0 to 3.1.4 with field-level SELECT permissions on sensitive fields, attackers with table access could exploit this to infer the relative ordering of restricted data. This could help narrow down exact values by combining the leaked ordering with other accessible records. The impact is limited to confidentiality risks and does not allow direct data reading or affect root sessions.

Compliance Impact

This vulnerability could lead to unauthorized exposure of sensitive data ordering, potentially violating GDPR's data protection principles or HIPAA's confidentiality requirements. Organizations using affected SurrealDB versions may face compliance risks if restricted fields contain personal or health information, as the flaw enables indirect leakage of sensitive data relationships.

Mitigation Strategies

Upgrade SurrealDB to version 3.1.5 or later immediately. If upgrading is not possible, apply workarounds such as disabling indexes on restricted fields, using table-level permissions instead of field-level restrictions, or forcing the legacy executor.

  • Upgrade SurrealDB: surrealdb upgrade to version 3.1.5 or higher
  • Disable indexes on restricted fields or use table-level permissions as temporary fixes

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart