PatchSiren

surrealdb CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM surrealdb CVE published 2026-07-17

CVE-2026-63309

CVE-2026-63309 is a medium-severity vulnerability in SurrealDB, a database management system. The issue arises from the failure to apply field-level SELECT permissions to ORDER BY clauses in versions prior to 3.1.5. This oversight allows authenticated users to infer the relative ordering of restricted field values by issuing ORDER BY queries on indexed restricted fields. Consequently, attackers can recove [truncated]