PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-58363 surrealdb CVE debrief

CVE-2024-58363 is a medium-severity vulnerability in SurrealDB, a database management system. The issue arises from improper authentication validation when a user switches databases using the USE clause or use method. An attacker with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists. This can lead to unauthorized actions if permissions rely solely on the $auth parameter.

Vendor
surrealdb
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of SurrealDB, especially those who rely on database switching and user authentication, should be aware of this vulnerability. Developers and administrators of applications using SurrealDB should assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The vulnerability exists in SurrealDB versions before 1.5.4. When a user switches databases using the USE clause or use method, the system fails to properly validate authentication. This allows an attacker with an authenticated session to impersonate another user in a different database, provided that user has the same identifier. The impact is significant if access control relies solely on the $auth parameter, as it could lead to unauthorized actions.

Defensive priority

Medium priority should be given to patching SurrealDB installations, as the vulnerability can be exploited by authenticated users. Immediate action is recommended for environments where database switching and user impersonation could lead to significant security risks.

Recommended defensive actions

  • Patch SurrealDB to version 1.5.4 or later
  • Review and update authentication and authorization mechanisms
  • Monitor for suspicious database switching activity
  • Implement additional access controls beyond $auth parameter if necessary
  • Confirm whether affected SurrealDB deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-18T14:17:09.187Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited details are available about the specific conditions and potential mitigations beyond patching.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.187Z and has not been modified since then. The NVD entry is currently Received.