SurrealDB Untrusted Query Object Evaluation Vulnerability in RPC API Sign-In and Sign-Up Operations

Vulnerability

A vulnerability exists in SurrealDB versions prior to 1.5.5 and 2.0.0-beta prior to 2.0.0-beta.3, where the RPC API's sign-in and sign-up operations accept arbitrary objects without proper validation for non-computed values. This flaw allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and replace the credentials with it. The injected subquery is executed within the context of the database owner's sign-in or sign-up query, under a system user session with editor privileges. As a result, the attacker can manipulate non-IAM resources by selecting, creating, updating, or deleting them, although they cannot directly view the query results or affect IAM resources, which require owner privileges.

Impact

Exploitation of this vulnerability allows for unauthorized query injection during sign-in and sign-up operations, enabling an attacker to manipulate non-IAM resources within the database under the permissions of a system user with editor rights.

Remediation

Users can update to SurrealDB versions 1.5.5 or 2.0.0-beta.3 or later, where this vulnerability has been patched. For those unable to update, it is recommended to restrict access to the SurrealDB RPC API, allowing only requests with the 'application/json' content type to the '/rpc' endpoint. If the RPC API is not used or only by trusted clients, access to the '/rpc' endpoint can be restricted to prevent exploitation. Alternatively, record access methods that include 'SIGNIN' or 'SIGNUP' queries may be temporarily removed to avoid potential attacks.

Added: Jul 18, 2026, 2:32 PM
Updated: Jul 18, 2026, 2:32 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
3.1
exploitability
7.4
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.