SurrealDB Command-Line Export SurrealQL Injection Vulnerability Allowing Privilege Escalation

Vulnerability

A SurrealQL injection vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2. The issue arises because the command-line export feature does not properly sanitize table and field names. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names that include SurrealQL. When a higher-privileged user imports the exported backup, the injected SurrealQL is executed, leading to privilege escalation and a complete takeover of the SurrealDB instance. Additionally, applications that allow users to define custom tables or fields are vulnerable to a second-order SurrealQL injection, even if query parameters are sanitized.

Impact

Exploitation of this vulnerability allows for unauthorized SurrealQL execution, privilege escalation, and root-level access to the SurrealDB instance. It also enables SurrealQL injection attacks against co-tenanted applications using SurrealDB as a shared backend.

Remediation

Users can upgrade to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5 to address this vulnerability. For those unable to upgrade, it is recommended to manually inspect exported data for injected SurrealQL statements before importing.

Added: Jul 18, 2026, 2:28 PM
Updated: Jul 18, 2026, 2:28 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
2.8
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.