PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63309 surrealdb CVE debrief

CVE-2026-63309 is a medium-severity vulnerability in SurrealDB, a database management system. The issue arises from the failure to apply field-level SELECT permissions to ORDER BY clauses in versions prior to 3.1.5. This oversight allows authenticated users to infer the relative ordering of restricted field values by issuing ORDER BY queries on indexed restricted fields. Consequently, attackers can recover the hidden values' sort order across records, even though the field itself returns null as intended. The vulnerability has a CVSS score of 5.3 and is classified as CWE-863.

Vendor
surrealdb
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of SurrealDB, especially those with sensitive data, should be aware of this vulnerability. Authenticated users with access to restricted fields may be able to infer information about those fields through cleverly crafted queries. Database administrators and security teams should prioritize updating to version 3.1.5 or later to mitigate this risk.

Technical summary

The vulnerability in SurrealDB arises from inadequate permission checks in ORDER BY clauses. Normally, field-level SELECT permissions restrict access to certain fields. However, when using ORDER BY on indexed restricted fields, these permissions are not properly enforced. This allows an attacker to determine the relative order of values in restricted fields across different records. The attack requires the attacker to be authenticated and have knowledge of the database schema, particularly the indexing of restricted fields. The vulnerability does not allow direct access to the restricted field values but enables inference of their relative order.

Defensive priority

Medium priority should be given to updating SurrealDB to version 3.1.5 or later. In the meantime, database administrators can consider restricting ORDER BY clauses for sensitive fields or closely monitoring query logs for suspicious activity.

Recommended defensive actions

  • Update SurrealDB to version 3.1.5 or later
  • Review and restrict ORDER BY clause usage for sensitive fields
  • Monitor query logs for suspicious activity
  • Implement additional access controls for sensitive data
  • Perform a thorough review of database schema and indexing
  • Verify authentication and authorization settings for SurrealDB
  • Track and document changes to database configurations and user access

Evidence notes

The CVE record was published on 2026-07-17T17:17:17.717Z and was last modified on 2026-07-17T18:28:39.220Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck, and details can be found in their advisory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:17.717Z and has not been modified since then. The NVD entry is currently Deferred.