{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rust/surrealdb--3.1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)","rust/surrealdb (\u003c 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["surrealdb","vulnerability","session-hijack","web-application","rpc","database"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eAnonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP \u003ccode\u003e/rpc\u003c/code\u003e endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the \u003ccode\u003esessions\u003c/code\u003e method, which inadvertently returns all attached session UUIDs. Furthermore, the \u003ccode\u003e/rpc\u003c/code\u003e handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s \u003ccode\u003eHttp\u003c/code\u003e/\u003ccode\u003eHttps\u003c/code\u003e engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB \u003ccode\u003e/rpc\u003c/code\u003e endpoint, invoking the \u003ccode\u003esessions\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server (versions \u0026lt; 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a subsequent HTTP POST request to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint, including a stolen session UUID within the \u003ccode\u003esession\u003c/code\u003e field of the request body or header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, modify application logic to avoid client flows that call \u003ccode\u003eattach\u003c/code\u003e against HTTP \u003ccode\u003e/rpc\u003c/code\u003e, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.\u003c/li\u003e\n\u003cli\u003eImplement network-level access controls to restrict direct access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted internal clients, as described in the workaround for this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:36:18Z","date_published":"2026-07-03T12:36:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/","summary":"A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.","title":"SurrealDB HTTP /rpc Session Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed - Rust/Surrealdb (\u003c 3.1.0)","version":"https://jsonfeed.org/version/1.1"}