PatchSiren cyber security CVE debrief
CVE-2024-58358 surrealdb CVE debrief
CVE-2024-58358 is a denial of service vulnerability in SurrealDB versions before 2.1.0. Privileged owner users can define users with nonexistent roles, which can be exploited by attackers to trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM. The vulnerability exists in the role conversion process of SurrealDB, and an attacker can exploit this vulnerability by signing in with a user assigned an invalid role, causing the server to crash. Users of SurrealDB versions before 2.1.0 should be aware of this vulnerability and take steps to mitigate it. The vendor has not provided additional information about the vulnerability, and defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Vendor
- surrealdb
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of SurrealDB versions before 2.1.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and take steps to protect their systems. Defenders should also review compensating controls for exposed systems while remediation is scheduled and verified.
Technical summary
The vulnerability exists in the role conversion process of SurrealDB versions before 2.1.0. An attacker can exploit this vulnerability by signing in with a user assigned an invalid role, causing the server to crash. This vulnerability has a CVSS score of 6.9 and a severity of MEDIUM. Privileged owner users can define users with nonexistent roles, which can be exploited by attackers to trigger an uncaught panic. The vendor has not provided additional information about the vulnerability, and defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Defenders should also review compensating controls for exposed systems while remediation is scheduled and verified.
Defensive priority
Medium priority
Recommended defensive actions
- Update SurrealDB to version 2.1.0 or later
- Restrict access to privileged owner users
- Monitor server logs for signs of exploitation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-18T14:17:08.643Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in SurrealDB versions before 2.1.0, and privileged owner users can define users with nonexistent roles, which can be exploited by attackers to trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server. The vendor has not provided additional information about the vulnerability, and defenders should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:08.643Z and has not been modified since then. The NVD entry is currently Received.