PatchSiren cyber security CVE debrief
CVE-2023-54366 surrealdb CVE debrief
CVE-2023-54366 is a high-severity vulnerability in SurrealDB, a database management system. The vulnerability arises from SurrealDB's default setting of table permissions to FULL instead of NONE, allowing for SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. This issue affects SurrealDB versions before 1.0.1 and can be exploited by attackers with database access or unauthenticated users on publicly exposed instances, enabling them to perform unrestricted operations on unprotected tables within their authorization scope.
- Vendor
- surrealdb
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users and administrators of SurrealDB, especially those with publicly exposed instances or unauthenticated access, should be aware of this vulnerability. Developers and security teams should prioritize updating to SurrealDB version 1.0.1 or later to mitigate this issue.
Technical summary
The vulnerability is caused by SurrealDB's insecure default configuration, setting table permissions to FULL instead of NONE. This allows unauthorized users to perform various operations on tables, including SELECT, CREATE, UPDATE, and DELETE, without explicit permissions. The issue is particularly concerning for publicly exposed instances or those with weak access controls. SurrealDB versions before 1.0.1 are affected, and updating to version 1.0.1 or later is recommended to mitigate this issue. Additionally, administrators should review and adjust table permissions to ensure proper access controls are in place.
Defensive priority
High priority should be given to updating SurrealDB to version 1.0.1 or later. Additionally, administrators should review and adjust table permissions to ensure proper access controls are in place. Publicly exposed instances should be reviewed for potential exposure.
Recommended defensive actions
- Update SurrealDB to version 1.0.1 or later
- Review and adjust table permissions to ensure proper access controls
- Monitor for suspicious activity on publicly exposed instances
- Implement additional security measures for unauthenticated access
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-18T14:17:07.603Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects SurrealDB versions before 1.0.1. Evidence is limited, and defenders should verify the affected scope and vendor guidance for further information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:07.603Z and has not been modified since then.