PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-54366 surrealdb CVE debrief

CVE-2023-54366 is a high-severity vulnerability in SurrealDB, a database management system. The vulnerability arises from SurrealDB's default setting of table permissions to FULL instead of NONE, allowing for SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. This issue affects SurrealDB versions before 1.0.1 and can be exploited by attackers with database access or unauthenticated users on publicly exposed instances, enabling them to perform unrestricted operations on unprotected tables within their authorization scope.

Vendor
surrealdb
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users and administrators of SurrealDB, especially those with publicly exposed instances or unauthenticated access, should be aware of this vulnerability. Developers and security teams should prioritize updating to SurrealDB version 1.0.1 or later to mitigate this issue.

Technical summary

The vulnerability is caused by SurrealDB's insecure default configuration, setting table permissions to FULL instead of NONE. This allows unauthorized users to perform various operations on tables, including SELECT, CREATE, UPDATE, and DELETE, without explicit permissions. The issue is particularly concerning for publicly exposed instances or those with weak access controls. SurrealDB versions before 1.0.1 are affected, and updating to version 1.0.1 or later is recommended to mitigate this issue. Additionally, administrators should review and adjust table permissions to ensure proper access controls are in place.

Defensive priority

High priority should be given to updating SurrealDB to version 1.0.1 or later. Additionally, administrators should review and adjust table permissions to ensure proper access controls are in place. Publicly exposed instances should be reviewed for potential exposure.

Recommended defensive actions

  • Update SurrealDB to version 1.0.1 or later
  • Review and adjust table permissions to ensure proper access controls
  • Monitor for suspicious activity on publicly exposed instances
  • Implement additional security measures for unauthenticated access
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-18T14:17:07.603Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects SurrealDB versions before 1.0.1. Evidence is limited, and defenders should verify the affected scope and vendor guidance for further information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:07.603Z and has not been modified since then.