Summary
A record user could learn the value of a hidden field by counting how many records match a guess.
When DEFINE FIELD ... PERMISSIONS FOR select WHERE ... hides a field's contents from a caller, and that field is indexed, running SELECT count() FROM t WHERE hidden_field = "guess" GROUP ALL returned a count greater than zero whenever a record actually had that value, even though the caller was never allowed to read the field directly. The query planner used an indexed-COUNT shortcut (Index::Count, IndexCountScan, or the legacy Iterate Index Count / Iterate Index Keys paths) that counts matching index entries and skips the permission check that would normally hide the value. The same query with WITH NOINDEX correctly returned [], confirming the gap.
By repeating the count query with different guesses, an attacker can confirm or recover the contents of any restricted field they could not read through a normal SELECT.
Workarounds
Users unable to patch are advised to consider the following workarounds:
- Avoid
DEFINE INDEXon fields whose values are protected by field-level SELECT permissions. The class of attack is specific to the indexed fast paths. - Restrict the ability of record users to issue arbitrary
SELECT count() … GROUP ALLqueries against tables containing field-protected columns. - Use namespace / database isolation as the primary boundary where feasible.
Impact
What an attacker can do:
- Confirm or recover values of a field protected by field-level SELECT permissions on any table they hold table-level SELECT on, provided the field is indexed.
- Repeat the query with different guesses to read restricted field contents one value at a time.
What it can't do:
- Read fields that are not indexed (the shortcut only fires when an index covers the predicate column).
- Cross table, database or namespace isolation boundaries.
- Modify data, escalate privileges, or affect availability.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
GHSA-C8JX-96C9-8XRP has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The legacy planner (surrealdb/core/src/idx/planner/tree.rs) and the streaming planner (surrealdb/core/src/exec/planner/select/mod.rs) now both refuse the indexed fast path when the WHERE / ORDER tree references a field governed by a non-Full SELECT permission:
resolve_indexesskips any B-tree / unique index whose columns are governed by such a permission.- A new
cond_touches_restricted_fieldflag is propagated;eval_countrefuses a dedicatedIndex::Countwhen set. - The streaming planner adds
cond_touches_restricted_select_field, aRestrictedIdiomCheckervisitor that matches each idiom against the table's field-permission prefixes (loaded via the plan-time txn), and gatesIndexCountScanemission on it. - The fast paths are preserved for root / owner sessions via
should_check_perms_for_view.
Versions 3.1.0 and later are not affected.
Frequently Asked Questions
- What is GHSA-C8JX-96C9-8XRP? GHSA-C8JX-96C9-8XRP is a medium-severity incorrect authorization vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is GHSA-C8JX-96C9-8XRP? GHSA-C8JX-96C9-8XRP has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of surrealdb are affected by GHSA-C8JX-96C9-8XRP? surrealdb (rust) versions < 3.1.0 is affected.
- Is there a fix for GHSA-C8JX-96C9-8XRP? Yes. GHSA-C8JX-96C9-8XRP is fixed in 3.1.0. Upgrade to this version or later.
- Is GHSA-C8JX-96C9-8XRP exploitable, and should I be worried? Whether GHSA-C8JX-96C9-8XRP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-C8JX-96C9-8XRP is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-C8JX-96C9-8XRP? Upgrade
surrealdbto 3.1.0 or later.