Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. surrealdb
  4. ›
  5. GHSA-wp87-mgvq-5j93

GHSA-wp87-mgvq-5j93: SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization

July 1, 2026

An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding DEFINE NAMESPACE or DEFINE DATABASE permission.

USE NS <name> and USE DB <name> automatically create the target when it does not exist. The three places USE is handled — the RPC use method, Datastore::process_use, and the SurrealQL executor — did not check whether the caller was allowed to create the resource. Under default capabilities any session reached this path, including an unauthenticated guest.

References

  • github.com/advisories/GHSA-wp87-mgvq-5j93
  • github.com/surrealdb/surrealdb/commit/f3ee3bd55533c14f1fa3e69ce18fc8904c1ce3f9
  • github.com/surrealdb/surrealdb/security/advisories/GHSA-wp87-mgvq-5j93

Code Behaviors & Features

Detect and mitigate GHSA-wp87-mgvq-5j93 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.1.0

Fixed versions

  • 3.1.0

Solution

Upgrade to version 3.1.0 or above.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Learn more about CVSS

Weakness

  • CWE-862: Missing Authorization
  • CWE-863: Incorrect Authorization

Source file

cargo/surrealdb/GHSA-wp87-mgvq-5j93.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 02 Jul 2026 12:22:38 +0000.