Skip to content

Commit bda9060

Browse files
1 parent e29e9f5 commit bda9060

1 file changed

Lines changed: 56 additions & 0 deletions

File tree

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vjjx-rfw4-rmfc",
4+
"modified": "2026-07-01T20:10:34Z",
5+
"published": "2026-07-01T20:10:34Z",
6+
"aliases": [],
7+
"summary": "SurrealDB: Graph traversal bypasses table SELECT permissions",
8+
"details": "An authenticated record or scope user could read records on any table reachable through a graph edge or `REFERENCES TO` back-reference, regardless of that table's `PERMISSIONS FOR select` clause.\n\nTraversing `SELECT * FROM source->edge->target` returned full documents from `target` even when `target` was defined as `PERMISSIONS FOR select NONE`. The same bypass extended through multi-hop chains, so any table reachable by a sequence of edges from a readable starting point was exposed.\n\nThe root cause: `GraphEdgeScan` and `ReferenceScan` fetched records straight from storage without routing them through `Document::pluck_select`, so the target table's permission expression was never consulted.\n\n### Impact\n\nAn authenticated record or scope user can read records on any table reachable through a chain of graph edges or back-references from a table they have `select` on, regardless of the target's `PERMISSIONS FOR select` clause. Confidentiality-only and bounded to the caller's current database — namespace and database isolation are unaffected.\n\n### Patches\n\nA new per-batch permission cache (`exec::permission::CachedTableSelect`) resolves each target table's `SELECT` permission once and filters yielded values through `check_permission_for_value`, matching the regular `SELECT` code path.\n\n- Versions 3.1.0 and later are not affected.\n\n### Workarounds\n\n- Remove `select` permission on edge tables whose targets should be hidden.\n- Use namespace or database isolation as the primary boundary where feasible.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "surrealdb"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "3.1.0"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-vjjx-rfw4-rmfc"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/surrealdb/surrealdb"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [
48+
"CWE-200",
49+
"CWE-863"
50+
],
51+
"severity": "MODERATE",
52+
"github_reviewed": true,
53+
"github_reviewed_at": "2026-07-01T20:10:34Z",
54+
"nvd_published_at": null
55+
}
56+
}

0 commit comments

Comments
 (0)