<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rust/Surrealdb (&lt; 3.1.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/rust/surrealdb--3.1.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:36:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/rust/surrealdb--3.1.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>SurrealDB HTTP /rpc Session Hijack Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/</link><pubDate>Fri, 03 Jul 2026 12:36:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/</guid><description>A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.</description><content:encoded><![CDATA[<p>Anonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP <code>/rpc</code> endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the <code>sessions</code> method, which inadvertently returns all attached session UUIDs. Furthermore, the <code>/rpc</code> handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s <code>Http</code>/<code>Https</code> engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB <code>/rpc</code> endpoint, invoking the <code>sessions</code> method.</li>
<li>The vulnerable SurrealDB server (versions &lt; 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.</li>
<li>The attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.</li>
<li>The attacker crafts a subsequent HTTP POST request to the <code>/rpc</code> endpoint, including a stolen session UUID within the <code>session</code> field of the request body or header.</li>
<li>The vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.</li>
<li>The attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.</li>
<li>If immediate upgrade is not possible, modify application logic to avoid client flows that call <code>attach</code> against HTTP <code>/rpc</code>, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.</li>
<li>Implement network-level access controls to restrict direct access to the <code>/rpc</code> endpoint to only trusted internal clients, as described in the workaround for this vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>surrealdb</category><category>vulnerability</category><category>session-hijack</category><category>web-application</category><category>rpc</category><category>database</category></item></channel></rss>