Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by surrealdb

    CVE-2026-49997 (GCVE-0-2026-49997)

    Vulnerability from nvd – Published: 2026-07-15 16:14 – Updated: 2026-07-15 16:14
    VLAI
    Title
    SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted
    Summary
    SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    surrealdb surrealdb Affected: < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "surrealdb",
              "vendor": "surrealdb",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table\u0027s PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T16:14:03.602Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf"
            },
            {
              "name": "https://github.com/surrealdb/surrealdb/commit/500f4060349580b9cbb9c07b8112a487551c4616",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/surrealdb/surrealdb/commit/500f4060349580b9cbb9c07b8112a487551c4616"
            },
            {
              "name": "https://github.com/surrealdb/surrealdb/releases/tag/v3.1.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/surrealdb/surrealdb/releases/tag/v3.1.0"
            }
          ],
          "source": {
            "advisory": "GHSA-whwg-vh4f-pmmf",
            "discovery": "UNKNOWN"
          },
          "title": "SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49997",
        "datePublished": "2026-07-15T16:14:03.602Z",
        "dateReserved": "2026-06-02T18:30:51.283Z",
        "dateUpdated": "2026-07-15T16:14:03.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49997 (GCVE-0-2026-49997)

    Vulnerability from cvelistv5 – Published: 2026-07-15 16:14 – Updated: 2026-07-15 16:14
    VLAI
    Title
    SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted
    Summary
    SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    surrealdb surrealdb Affected: < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "surrealdb",
              "vendor": "surrealdb",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table\u0027s PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T16:14:03.602Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf"
            },
            {
              "name": "https://github.com/surrealdb/surrealdb/commit/500f4060349580b9cbb9c07b8112a487551c4616",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/surrealdb/surrealdb/commit/500f4060349580b9cbb9c07b8112a487551c4616"
            },
            {
              "name": "https://github.com/surrealdb/surrealdb/releases/tag/v3.1.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/surrealdb/surrealdb/releases/tag/v3.1.0"
            }
          ],
          "source": {
            "advisory": "GHSA-whwg-vh4f-pmmf",
            "discovery": "UNKNOWN"
          },
          "title": "SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49997",
        "datePublished": "2026-07-15T16:14:03.602Z",
        "dateReserved": "2026-06-02T18:30:51.283Z",
        "dateUpdated": "2026-07-15T16:14:03.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }