PatchSiren cyber security CVE debrief
CVE-2026-63309 surrealdb CVE debrief
CVE-2026-63309 is a medium-severity vulnerability in SurrealDB, a database management system. The issue arises from the failure to apply field-level SELECT permissions to ORDER BY clauses in versions prior to 3.1.5. This oversight allows authenticated users to infer the relative ordering of restricted field values by issuing ORDER BY queries on indexed restricted fields. Consequently, attackers can recover the hidden values' sort order across records, even though the field itself returns null as intended. The vulnerability has a CVSS score of 5.3 and is classified as CWE-863.
- Vendor
- surrealdb
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of SurrealDB, especially those with sensitive data, should be aware of this vulnerability. Authenticated users with access to restricted fields may be able to infer information about those fields through cleverly crafted queries. Database administrators and security teams should prioritize updating to version 3.1.5 or later to mitigate this risk.
Technical summary
The vulnerability in SurrealDB arises from inadequate permission checks in ORDER BY clauses. Normally, field-level SELECT permissions restrict access to certain fields. However, when using ORDER BY on indexed restricted fields, these permissions are not properly enforced. This allows an attacker to determine the relative order of values in restricted fields across different records. The attack requires the attacker to be authenticated and have knowledge of the database schema, particularly the indexing of restricted fields. The vulnerability does not allow direct access to the restricted field values but enables inference of their relative order.
Defensive priority
Medium priority should be given to updating SurrealDB to version 3.1.5 or later. In the meantime, database administrators can consider restricting ORDER BY clauses for sensitive fields or closely monitoring query logs for suspicious activity.
Recommended defensive actions
- Update SurrealDB to version 3.1.5 or later
- Review and restrict ORDER BY clause usage for sensitive fields
- Monitor query logs for suspicious activity
- Implement additional access controls for sensitive data
- Perform a thorough review of database schema and indexing
- Verify authentication and authorization settings for SurrealDB
- Track and document changes to database configurations and user access
Evidence notes
The CVE record was published on 2026-07-17T17:17:17.717Z and was last modified on 2026-07-17T18:28:39.220Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck, and details can be found in their advisory.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:17.717Z and has not been modified since then. The NVD entry is currently Deferred.