<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SurrealDB (2.0.0-Beta &lt; 2.0.0-Beta.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/surrealdb-2.0.0-beta--2.0.0-beta.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 18 Jul 2026 14:20:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/surrealdb-2.0.0-beta--2.0.0-beta.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>SurrealDB RPC API Arbitrary Object Execution Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-arbitrary-object-execution/</link><pubDate>Sat, 18 Jul 2026 14:20:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-arbitrary-object-execution/</guid><description>An unauthenticated remote code execution vulnerability exists in SurrealDB's RPC API, affecting versions prior to 1.5.5 and 2.0.0-beta prior to 2.0.0-beta.3, allowing attackers to inject a specially crafted binary object containing a subquery during signin or signup operations, leading to execution with editor-level privileges and manipulation of non-IAM database resources.</description><content:encoded><![CDATA[<p>CVE-2024-58362 describes a high-severity vulnerability in SurrealDB versions before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3. This flaw allows an unauthenticated attacker to execute arbitrary subqueries within the database. The vulnerability arises because the SurrealDB RPC API's <code>signin</code> and <code>signup</code> operations accept an arbitrary object without proper recursive validation for non-computed values. When the RPC API is exposed to untrusted users and a record access method defines a <code>SIGNIN</code> or <code>SIGNUP</code> query, an attacker can embed a malicious subquery within a binary object using the bincode serialization format. This crafted object is then supplied in place of legitimate credentials, and the subquery is executed under a system user session with an <code>editor</code> role. This grants the attacker the ability to select, create, update, and delete non-IAM resources within the database, posing a significant risk to data integrity and confidentiality.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies an exposed SurrealDB RPC API instance in a target environment.</li>
<li>The attacker determines that a record access method defines a <code>SIGNIN</code> or <code>SIGNUP</code> query, making the vulnerability exploitable.</li>
<li>The attacker crafts a binary object that leverages the bincode serialization format to embed a malicious subquery.</li>
<li>The attacker sends this specially crafted binary object as part of a <code>signin</code> or <code>signup</code> operation to the vulnerable RPC API endpoint.</li>
<li>SurrealDB's RPC API processes the arbitrary object without proper recursive validation of non-computed values, leading to the acceptance and processing of the malicious subquery.</li>
<li>The embedded subquery is executed within the database owner's <code>SIGNIN</code>/<code>SIGNUP</code> query context.</li>
<li>The subquery runs under a system user session, inheriting an <code>editor</code> role, and performs unauthorized actions.</li>
<li>The attacker's subquery successfully selects, creates, updates, or deletes non-IAM resources within the SurrealDB database, achieving unauthorized data manipulation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2024-58362 allows an unauthenticated attacker to gain significant control over the SurrealDB database's non-IAM resources. Attackers can execute arbitrary subqueries, leading to unauthorized selection, creation, modification, or deletion of data. This could result in data theft, data corruption, or the complete compromise of information stored within the database. While the attacker cannot directly view the results of the query or affect IAM resources (which require an 'owner' role), the ability to manipulate core database content at an 'editor' level presents a critical risk to data integrity and confidentiality.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2024-58362 immediately</strong> by upgrading SurrealDB to version 1.5.5 or later, or 2.0.0-beta.3 or later, to remediate the arbitrary object execution vulnerability.</li>
<li>Restrict network exposure of the SurrealDB RPC API to trusted users and internal networks only, preventing untrusted users from accessing vulnerable endpoints.</li>
<li>Monitor SurrealDB RPC API logs for unusual <code>signin</code> or <code>signup</code> requests originating from suspicious IP addresses or containing abnormally large or malformed payloads, as these could indicate an attempted exploitation of CVE-2024-58362.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>database-vulnerability</category><category>remote-code-execution</category><category>unauthenticated-access</category><category>data-manipulation</category></item></channel></rss>