GHSA-6g9v-7gq3-p2c6MediumCVSS 4.3Disclosed before NVD

SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages

Published
July 1, 2026
Last Modified
July 1, 2026

📋 Description

A record user with UPDATE access could read field values that field-level SELECT permissions hid from them. Arithmetic operators and extend embedded the raw operand into their error messages, and UPDATE permission checks evaluate against the unreduced document — so triggering such an error against a hidden field returned its value in the resulting error.

Impact

A record user issues an UPDATE that performs an incompatible operation against a hidden field — e.g. UPDATE person:me SET probe = email + 1 when email is a string — and reads the value from the returned error (Tried to compute "[email protected]" + 1 …). One field per operation, but the attacker can repeat against any field on any record they can UPDATE.

Patches

A patch has been introduced that replaces the raw operand in every try_* operator and in extend with the operand's type name ("string", "int", "array", etc.).

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update should not grant UPDATE permission on records whose field-level SELECT permissions are expected to hide values from the same caller.

🎯 Affected products1

  • rust/surrealdb:< 3.1.0

🔗 References (3)