Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. surrealdb
  4. ›
  5. GHSA-4m82-p8cx-f94j

GHSA-4m82-p8cx-f94j: SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls

July 1, 2026

A LIVE SELECT subscription records the user’s auth state ($auth, $token, $session, $access) when it is registered, and the server uses that recorded state to evaluate the table- and row-level PERMISSIONS clauses for every subsequent notification. The recorded state is never refreshed.

When something changes the user’s effective auth state — the originating session is invalidated, the session’s TTL expires, or the user signs in, signs up, or authenticates as a different identity on the same connection — the subscription keeps delivering notifications under the old, stale auth state, and the PERMISSIONS that should now apply to the connection are never consulted.

References

  • github.com/advisories/GHSA-4m82-p8cx-f94j
  • github.com/surrealdb/surrealdb/commit/6cc48412c975d51b47617708ec44abc11ca5a89a
  • github.com/surrealdb/surrealdb/commit/cbec0a73dc9575994d2b9c1aec26af539dc99878
  • github.com/surrealdb/surrealdb/security/advisories/GHSA-4m82-p8cx-f94j

Code Behaviors & Features

Detect and mitigate GHSA-4m82-p8cx-f94j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.1.0

Fixed versions

  • 3.1.0

Solution

Upgrade to version 3.1.0 or above.

Impact 4.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-613: Insufficient Session Expiration

Source file

cargo/surrealdb/GHSA-4m82-p8cx-f94j.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 02 Jul 2026 12:22:21 +0000.