SurrealDB: Information Disclosure via Arithmetic Operator Error Messages (GSA-kwCzR0hTQS02Zzl2LTdncTMtcDJjNs4ABZ_X) -DC-Jul2026-806

Listen to this Post

This vulnerability affects SurrealDB, a real-time multi-model database, and allows an authenticated user with UPDATE permissions to read the values of fields that are hidden from them by field‑level SELECT permissions. The root cause lies in the way arithmetic operators and the `extend` operator handle type errors. When an incompatible operation is performed on a hidden field — for example, adding a number to a string field — the database engine constructs an error message that includes the raw operand value.
Critically, the permission check for UPDATE operations evaluates against the unreduced document, meaning the hidden field’s value is still present in the document context at the time the error is triggered. If the operation fails due to a type mismatch, the error message discloses the actual value of the hidden field. An attacker can craft an UPDATE statement that forces such an error on a targeted hidden field, and then parse the returned error message to extract the field’s content.
The attack is straightforward: the user issues an UPDATE that performs an incompatible operation against a field they are not allowed to SELECT — e.g., `UPDATE person:me SET probe = email + 1` when `email` is a string. The error returned contains the raw value, such as Tried to compute "[email protected]" + 1 …. This technique can be repeated for any field on any record the user has UPDATE access to, one field per operation.
The flaw affects all SurrealDB versions prior to 3.1.0. The patch, introduced in version 3.1.0, replaces the raw operand in every `try_` operator and in `extend` with the operand’s type name (e.g., "string", "int", "array"). This prevents the actual value from appearing in error messages. Users who cannot upgrade immediately are advised to avoid granting UPDATE permissions on records where field‑level SELECT permissions are intended to hide values from the same caller.

DailyCVE Form:

Platform: ……. SurrealDB
Version: …….. < 3.1.0
Vulnerability :…… Information Disclosure
Severity: ……. Medium
date: ………. 2026‑07‑01

Prediction: …… 2026‑07‑15

What Undercode Say:

Check current SurrealDB version
surreal version
Example vulnerable UPDATE query
UPDATE person:me SET probe = email + 1;
Expected error output (leaks email value)
"Tried to compute \"[email protected]\" + 1 …"
Verify patch by checking error message after upgrade
In fixed version (>=3.1.0), error becomes:
"Tried to compute string + int …"
-- Demonstrating field-level SELECT permission
DEFINE FIELD email ON person PERMISSIONS FOR select WHERE $auth.id = owner;
-- Attacker with UPDATE but no SELECT on 'email'
UPDATE person:me SET probe = email + 1;
-- Leaks email value via error message

Exploit:

  1. Identify a record and a hidden field (e.g., email) that the attacker has UPDATE but not SELECT permission on.
  2. Issue an UPDATE statement that forces a type error on that field, such as UPDATE person:me SET probe = email + 1.
  3. Capture the error message returned by the database.
  4. Parse the error message to extract the raw value of the hidden field (e.g., "[email protected]").
  5. Repeat for any other hidden fields on any record the attacker can UPDATE.

Protection:

  • Upgrade to SurrealDB version 3.1.0 or later.
  • If upgrade is not possible, do not grant UPDATE permissions on records where field‑level SELECT permissions are intended to hide values from the same caller.
  • Review all `DEFINE FIELD … PERMISSIONS` definitions to ensure UPDATE permissions are not overly broad.
  • Monitor error logs for suspicious UPDATE queries that might indicate exploitation attempts.

Impact:

  • Confidentiality: An attacker with UPDATE permissions can read the values of fields they are not supposed to see, potentially exposing sensitive data such as email addresses, personal information, or credentials.
  • Scope: Any field on any record that the attacker has UPDATE access to can be targeted, one field per operation.
  • Attack Vector: Requires authenticated access with UPDATE privileges on at least one record; no special network or user interaction beyond normal database access.
  • Mitigation: The patch in version 3.1.0 fully closes the vector by removing raw values from error messages.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top