Product
A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.