{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/surrealdb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)","rust/surrealdb (\u003c 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["surrealdb","vulnerability","session-hijack","web-application","rpc","database"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eAnonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP \u003ccode\u003e/rpc\u003c/code\u003e endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the \u003ccode\u003esessions\u003c/code\u003e method, which inadvertently returns all attached session UUIDs. Furthermore, the \u003ccode\u003e/rpc\u003c/code\u003e handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s \u003ccode\u003eHttp\u003c/code\u003e/\u003ccode\u003eHttps\u003c/code\u003e engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB \u003ccode\u003e/rpc\u003c/code\u003e endpoint, invoking the \u003ccode\u003esessions\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server (versions \u0026lt; 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a subsequent HTTP POST request to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint, including a stolen session UUID within the \u003ccode\u003esession\u003c/code\u003e field of the request body or header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, modify application logic to avoid client flows that call \u003ccode\u003eattach\u003c/code\u003e against HTTP \u003ccode\u003e/rpc\u003c/code\u003e, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.\u003c/li\u003e\n\u003cli\u003eImplement network-level access controls to restrict direct access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted internal clients, as described in the workaround for this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:36:18Z","date_published":"2026-07-03T12:36:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/","summary":"A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.","title":"SurrealDB HTTP /rpc Session Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","race-condition","webserver","surrealdb"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eSurrealDB, a multi-model database, is affected by a critical time-of-check/time-of-use (TOCTOU) race condition (CVE-2024-XXXX, though not explicitly numbered in source) within its HTTP \u003ccode\u003e/rpc\u003c/code\u003e endpoint. This vulnerability impacts versions prior to \u003ccode\u003ev3.1.0\u003c/code\u003e and allows an unauthenticated attacker to escalate privileges. The flaw stems from concurrent requests sharing mutable authentication state; an unauthenticated request can race to inherit the session context of a legitimate, concurrently executing authenticated request. This mechanism, affecting the primary interface used by all official SurrealDB SDKs, allows attackers to bypass authentication and execute actions with the hijacked user's permissions, potentially leading to complete compromise of the SurrealDB instance if a root or namespace-level session is targeted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user sends a legitimate \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint of a vulnerable SurrealDB instance.\u003c/li\u003e\n\u003cli\u003eDuring the processing of this legitimate request, the server temporarily sets its internal, shared session state to the authenticated user's context.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker, with network access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint, concurrently sends a \u003ccode\u003ePOST\u003c/code\u003e request to the same \u003ccode\u003e/rpc\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, the attacker's unauthenticated request is processed while the internal session state still holds the authenticated user's context.\u003c/li\u003e\n\u003cli\u003eThe attacker's request incorrectly inherits the session and privileges of the legitimate, authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker's request is then executed with the elevated privileges of the hijacked session, bypassing authentication.\u003c/li\u003e\n\u003cli\u003eIf the hijacked session belonged to a root or namespace-level user, the attacker gains full control over the database, including reading, modifying, or deleting any data and creating persistent namespace-level users.\u003c/li\u003e\n\u003cli\u003eIf the hijacked session belonged to a scoped record user, the attacker's actions are limited to that user's defined permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated attacker exploiting this race condition can achieve privilege escalation within the SurrealDB instance. The severity of the impact is directly tied to the privileges of the authenticated user whose session is hijacked. If a highly privileged user, such as a root or namespace-level administrator, has their session compromised, the attacker can gain complete control over the database, including the ability to read, modify, or delete any data, as well as create new persistent users at the namespace level. This could lead to data integrity loss, unauthorized data access, and persistent compromise of the database environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SurrealDB instances to version \u003ccode\u003e3.1.0\u003c/code\u003e or newer immediately to apply the patch that introduces per-request session isolation.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls (e.g., firewall rules, WAFs) to restrict access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted clients and applications, reducing the exposure surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:35:23Z","date_published":"2026-07-03T12:35:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/","summary":"An unauthenticated time-of-check/time-of-use (TOCTOU) race condition exists in the HTTP /rpc endpoint of SurrealDB versions prior to 3.1.0, allowing an attacker to inherit the session and privileges of an authenticated user by sending concurrent requests, potentially leading to full control over the database if a highly privileged session is hijacked.","title":"SurrealDB HTTP RPC Session Race Condition Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/"}],"language":"en","title":"CraftedSignal Threat Feed - Surrealdb","version":"https://jsonfeed.org/version/1.1"}