Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. surrealdb
  4. ›
  5. GHSA-4vgr-h27g-cf9p

GHSA-4vgr-h27g-cf9p: SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation

July 1, 2026

The HTTP /rpc endpoint has a time-of-check/time-of-use (TOCTOU) race condition on internal session state. When authenticated and unauthenticated requests are processed concurrently, the unauthenticated request can inherit the authenticated user’s session and privileges. The /rpc endpoint is the primary interface used by all official SurrealDB SDKs.

The HTTP /rpc handler does not bind each incoming request to an isolated session context. Instead, concurrent requests share mutable authentication state. When an authenticated request sets the session context and an unauthenticated request races in before it is cleared, the unauthenticated request executes with the authenticated user’s privileges.

The impact depends on the privilege level of the session that is hijacked. If a root or namespace-level user session is inherited, the attacker can read and modify any data, delete records, and create persistent namespace-level users. If a scoped record user session is inherited, the attacker is limited to that user’s permissions.

The attack requires no credentials, tokens, or session knowledge — only the ability to send concurrent HTTP requests to the /rpc endpoint while legitimate authenticated traffic is active.

References

  • github.com/advisories/GHSA-4vgr-h27g-cf9p
  • github.com/surrealdb/surrealdb/commit/2f53e6e86d1b87e38300e714cfd7aede1abe4c3d
  • github.com/surrealdb/surrealdb/commit/fd800fc7c55afcdc97057d18cf7cb7f83557e702
  • github.com/surrealdb/surrealdb/security/advisories/GHSA-4vgr-h27g-cf9p

Code Behaviors & Features

Detect and mitigate GHSA-4vgr-h27g-cf9p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.1.0

Fixed versions

  • 3.1.0

Solution

Upgrade to version 3.1.0 or above.

Impact 8.1 HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Source file

cargo/surrealdb/GHSA-4vgr-h27g-cf9p.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 02 Jul 2026 12:22:17 +0000.