Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. surrealdb
  4. ›
  5. GHSA-5qfp-32cf-69jh

GHSA-5qfp-32cf-69jh: SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers

July 1, 2026

The HTTP /rpc sessions method returned every attached session UUID without authentication, and the /rpc handler accepted an arbitrary session field with no ownership check. An anonymous caller could enumerate UUIDs and impersonate any authenticated session.

“Attached” means sessions registered via {"method":"attach"} — the only writer to the HTTP session map. Ordinary stateless /rpc requests use ephemeral per-request sessions that are filtered from sessions() and destroyed at end-of-request, so they are not enumerable.

References

  • github.com/advisories/GHSA-5qfp-32cf-69jh
  • github.com/surrealdb/surrealdb/commit/fd800fc7c55afcdc97057d18cf7cb7f83557e702
  • github.com/surrealdb/surrealdb/security/advisories/GHSA-5qfp-32cf-69jh

Code Behaviors & Features

Detect and mitigate GHSA-5qfp-32cf-69jh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.1.0

Fixed versions

  • 3.1.0

Solution

Upgrade to version 3.1.0 or above.

Impact 8.8 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-384: Session Fixation

Source file

cargo/surrealdb/GHSA-5qfp-32cf-69jh.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 02 Jul 2026 12:22:37 +0000.