PatchSiren cyber security CVE debrief
CVE-2024-58367 surrealdb CVE debrief
CVE-2024-58367 is a high-severity vulnerability in SurrealDB versions before 2.0.4, allowing authorized users to access unauthorized field values through various query techniques. The vulnerability has a CVSS score of 7.1 and is classified as HIGH. This issue affects SurrealDB deployments, and users should review official advisories to validate affected scope, severity, and vendor guidance. The CVE record is based on limited source detail, and defenders should verify the affected scope and severity. The vulnerability allows attackers to leak protected field contents despite lacking SELECT permissions.
- Vendor
- surrealdb
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of SurrealDB versions before 2.0.4, including developers, administrators, and security teams, should be aware of this vulnerability and take necessary actions to upgrade to a patched version. This includes reviewing field permissions, monitoring for suspicious activity, and implementing compensating controls. Security teams should prioritize vulnerability management and ensure that affected deployments are identified and remediated.
Technical summary
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations. This allows authorized users to access unauthorized field values through various query techniques, including SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references. The vulnerability has a CVSS score of 7.1 and is classified as HIGH. Affected deployments should review official advisories to validate scope, severity, and vendor guidance. Users of SurrealDB should assess their exposure and plan for upgrades or mitigations.
Defensive priority
High
Recommended defensive actions
- Upgrade to SurrealDB version 2.0.4 or later
- Review and adjust field permissions for SELECT, UPDATE, and DELETE operations
- Monitor for suspicious activity and implement compensating controls
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-18T14:17:09.737Z and has not been modified since then. The NVD entry is currently Received. Evidence of exploitation is limited, and defenders should verify the affected scope and severity. The CVE record is based on limited source detail, and further verification is necessary to confirm the vulnerability's impact. Defenders should review official advisories and track exceptions, retesting remediated assets to ensure thorough remediation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:09.737Z and has not been modified since then. The NVD entry is currently Received.