PatchSiren cyber security CVE debrief
CVE-2024-58362 surrealdb CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then. SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. This allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials, potentially leading to unauthorized data access and modification.
- Vendor
- surrealdb
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of SurrealDB versions before 1.5.5 or 2.0.0-beta before 2.0.0-beta.3 who expose the RPC API to untrusted users should assess and mitigate this vulnerability. This includes operators, administrators, and security teams responsible for SurrealDB deployments.
Technical summary
SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. This allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials, potentially leading to unauthorized data access and modification.
Defensive priority
High priority due to potential for unauthorized data access and modification
Recommended defensive actions
- Inventory and assess SurrealDB deployments for exposure to untrusted users
- Apply SurrealDB version 1.5.5 or 2.0.0-beta.3 or later
- Restrict RPC API access to trusted users and networks
- Monitor for suspicious RPC API activity
- Implement compensating controls such as Web Application Firewalls
- Review and update incident response plans to address potential data breaches
- Conduct regular security audits to identify and mitigate vulnerabilities
Evidence notes
Evidence is limited; primary official records indicate a potential for query injection via RPC API. Defensive verification tasks are recommended. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then. SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then.