PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-58362 surrealdb CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then. SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. This allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials, potentially leading to unauthorized data access and modification.

Vendor
surrealdb
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB versions before 1.5.5 or 2.0.0-beta before 2.0.0-beta.3 who expose the RPC API to untrusted users should assess and mitigate this vulnerability. This includes operators, administrators, and security teams responsible for SurrealDB deployments.

Technical summary

SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. This allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and supply it in place of credentials, potentially leading to unauthorized data access and modification.

Defensive priority

High priority due to potential for unauthorized data access and modification

Recommended defensive actions

  • Inventory and assess SurrealDB deployments for exposure to untrusted users
  • Apply SurrealDB version 1.5.5 or 2.0.0-beta.3 or later
  • Restrict RPC API access to trusted users and networks
  • Monitor for suspicious RPC API activity
  • Implement compensating controls such as Web Application Firewalls
  • Review and update incident response plans to address potential data breaches
  • Conduct regular security audits to identify and mitigate vulnerabilities

Evidence notes

Evidence is limited; primary official records indicate a potential for query injection via RPC API. Defensive verification tasks are recommended. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then. SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.047Z and has not been modified since then.