{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/surrealdb--1.5.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2024-58362"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 1.5.5)","SurrealDB (2.0.0-beta \u003c 2.0.0-beta.3)"],"_cs_severities":["high"],"_cs_tags":["database-vulnerability","remote-code-execution","unauthenticated-access","data-manipulation"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eCVE-2024-58362 describes a high-severity vulnerability in SurrealDB versions before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3. This flaw allows an unauthenticated attacker to execute arbitrary subqueries within the database. The vulnerability arises because the SurrealDB RPC API's \u003ccode\u003esignin\u003c/code\u003e and \u003ccode\u003esignup\u003c/code\u003e operations accept an arbitrary object without proper recursive validation for non-computed values. When the RPC API is exposed to untrusted users and a record access method defines a \u003ccode\u003eSIGNIN\u003c/code\u003e or \u003ccode\u003eSIGNUP\u003c/code\u003e query, an attacker can embed a malicious subquery within a binary object using the bincode serialization format. This crafted object is then supplied in place of legitimate credentials, and the subquery is executed under a system user session with an \u003ccode\u003eeditor\u003c/code\u003e role. This grants the attacker the ability to select, create, update, and delete non-IAM resources within the database, posing a significant risk to data integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an exposed SurrealDB RPC API instance in a target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that a record access method defines a \u003ccode\u003eSIGNIN\u003c/code\u003e or \u003ccode\u003eSIGNUP\u003c/code\u003e query, making the vulnerability exploitable.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a binary object that leverages the bincode serialization format to embed a malicious subquery.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this specially crafted binary object as part of a \u003ccode\u003esignin\u003c/code\u003e or \u003ccode\u003esignup\u003c/code\u003e operation to the vulnerable RPC API endpoint.\u003c/li\u003e\n\u003cli\u003eSurrealDB's RPC API processes the arbitrary object without proper recursive validation of non-computed values, leading to the acceptance and processing of the malicious subquery.\u003c/li\u003e\n\u003cli\u003eThe embedded subquery is executed within the database owner's \u003ccode\u003eSIGNIN\u003c/code\u003e/\u003ccode\u003eSIGNUP\u003c/code\u003e query context.\u003c/li\u003e\n\u003cli\u003eThe subquery runs under a system user session, inheriting an \u003ccode\u003eeditor\u003c/code\u003e role, and performs unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker's subquery successfully selects, creates, updates, or deletes non-IAM resources within the SurrealDB database, achieving unauthorized data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-58362 allows an unauthenticated attacker to gain significant control over the SurrealDB database's non-IAM resources. Attackers can execute arbitrary subqueries, leading to unauthorized selection, creation, modification, or deletion of data. This could result in data theft, data corruption, or the complete compromise of information stored within the database. While the attacker cannot directly view the results of the query or affect IAM resources (which require an 'owner' role), the ability to manipulate core database content at an 'editor' level presents a critical risk to data integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2024-58362 immediately\u003c/strong\u003e by upgrading SurrealDB to version 1.5.5 or later, or 2.0.0-beta.3 or later, to remediate the arbitrary object execution vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict network exposure of the SurrealDB RPC API to trusted users and internal networks only, preventing untrusted users from accessing vulnerable endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor SurrealDB RPC API logs for unusual \u003ccode\u003esignin\u003c/code\u003e or \u003ccode\u003esignup\u003c/code\u003e requests originating from suspicious IP addresses or containing abnormally large or malformed payloads, as these could indicate an attempted exploitation of CVE-2024-58362.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T14:20:18Z","date_published":"2026-07-18T14:20:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-arbitrary-object-execution/","summary":"An unauthenticated remote code execution vulnerability exists in SurrealDB's RPC API, affecting versions prior to 1.5.5 and 2.0.0-beta prior to 2.0.0-beta.3, allowing attackers to inject a specially crafted binary object containing a subquery during signin or signup operations, leading to execution with editor-level privileges and manipulation of non-IAM database resources.","title":"SurrealDB RPC API Arbitrary Object Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-arbitrary-object-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - SurrealDB (\u003c 1.5.5)","version":"https://jsonfeed.org/version/1.1"}