GHSA-4V76-CW68-4VC9
Vulnerability from github – Published: 2026-07-01 20:13 – Updated: 2026-07-01 20:13A LIVE query whose WHERE clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example LIVE SELECT * FROM t WHERE string::trim(deny) — triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.
While such a LIVE query was registered, all CREATE, UPDATE, and DELETE operations on the watched table failed — including those issued by a root user — for as long as the registration remained active. Registering the LIVE required select permission on the table; no other permission on the table was needed.
Impact
An authenticated user with select permission on a table can prevent all CREATE, UPDATE, and DELETE operations on that table — by any other user, up to and including root — for the lifetime of a single registered LIVE query. Service is restored when the LIVE query is killed or the session that registered it ends.
Patches
A patch has been introduced that:
- Decouples LIVE query evaluation errors from the source transaction — when
lq_checkreturns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as anAction::Errornotification and the LIVE processing path returnsOk(()). The triggering write proceeds normally. -
Defers the error notification until after the permission check — the
Action::Errornotification is only delivered after the LIVE subscription'sPERMISSIONSclause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix). -
Versions 3.1.0 and later are not affected by this issue.
Workarounds
Users unable to upgrade should restrict the ability of untrusted users to register LIVE queries by removing the select permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T20:13:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A `LIVE` query whose `WHERE` clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type \u2014 for example `LIVE SELECT * FROM t WHERE string::trim(deny)` \u2014 triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.\n\nWhile such a `LIVE` query was registered, all `CREATE`, `UPDATE`, and `DELETE` operations on the watched table failed \u2014 including those issued by a root user \u2014 for as long as the registration remained active. Registering the `LIVE` required `select` permission on the table; no other permission on the table was needed.\n\n### Impact\n\nAn authenticated user with `select` permission on a table can prevent all `CREATE`, `UPDATE`, and `DELETE` operations on that table \u2014 by any other user, up to and including root \u2014 for the lifetime of a single registered `LIVE` query. Service is restored when the `LIVE` query is killed or the session that registered it ends.\n\n### Patches\n\nA patch has been introduced that:\n\n1. **Decouples LIVE query evaluation errors from the source transaction** \u2014 when `lq_check` returns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as an `Action::Error` notification and the LIVE processing path returns `Ok(())`. The triggering write proceeds normally.\n2. **Defers the error notification until after the permission check** \u2014 the `Action::Error` notification is only delivered after the LIVE subscription\u0027s `PERMISSIONS` clause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nUsers unable to upgrade should restrict the ability of untrusted users to register `LIVE` queries by removing the `select` permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.",
"id": "GHSA-4v76-cw68-4vc9",
"modified": "2026-07-01T20:13:37Z",
"published": "2026-07-01T20:13:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-4v76-cw68-4vc9"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/af835eb199ad2327a04c42101d11aff21fce7e47"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/b29e03f0714d1c4ec091fc6f27f1edbe243b8aec"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.