SurrealDB Improper Authentication Vulnerability Allowing User Impersonation via Database Switch

Vulnerability

A vulnerability exists in SurrealDB versions prior to 1.5.4 and 2.0.0-alpha.6, where the database authentication process is not properly validated when a scope user switches databases using the 'USE' clause or method. This flaw allows attackers with an authenticated session to impersonate an unrelated user in a different database, provided a user record with the same identifier exists. Such impersonation could enable unauthorized actions if the user's permissions are solely based on the $auth parameter.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed under the identity of an unrelated user in a different database, potentially allowing access to sensitive data or functionalities, depending on the permissions assigned to the impersonated user.

Remediation

Users can update to SurrealDB version 1.5.4 or 2.0.0-alpha.6 or later, where this vulnerability has been patched. For those unable to update, it is recommended to ensure that table 'PERMISSIONS' clauses explicitly check that the $scope parameter matches a scope that is uniquely named across databases in the same SurrealDB instance. Additionally, using record identifiers that are automatically generated or explicitly defined to be unique across databases can help mitigate this issue.

Added: Jul 18, 2026, 2:33 PM
Updated: Jul 18, 2026, 2:33 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.3
exploitability
4.8
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.