Skip to content

SurrealDB: USE NS/DB implicit creation bypasses DEFINE authorization

Moderate severity GitHub Reviewed Published May 27, 2026 in surrealdb/surrealdb • Updated Jul 1, 2026

Package

cargo surrealdb (Rust)

Affected versions

< 3.1.0

Patched versions

3.1.0

Description

An anonymous caller could create new namespaces and databases on a running SurrealDB instance without holding DEFINE NAMESPACE or DEFINE DATABASE permission.

USE NS <name> and USE DB <name> automatically create the target when it does not exist. The three places USE is handled — the RPC use method, Datastore::process_use, and the SurrealQL executor — did not check whether the caller was allowed to create the resource. Under default capabilities any session reached this path, including an unauthenticated guest.

Impact

What an attacker can do:

  • Create new namespaces and databases without DEFINE NAMESPACE / DEFINE DATABASE permission. An unauthenticated guest is enough under default capabilities.
  • Recreate a parent namespace that an operator deliberately dropped, using a stale namespace-Editor token, by running USE NS <dropped> DB anything.
  • Exhaust catalog storage by repeatedly creating new resources.

What it can't do:

  • Read or modify data inside any pre-existing namespace or database.
  • Escalate to root or namespace-owner privileges on existing resources.
  • Affect deployments running with auth_enabled=false.

Patches

All three USE entry points now check whether the caller has DEFINE NAMESPACE / DEFINE DATABASE authority before creating a missing target. Sessions still update their context regardless of authorization, so SDKs that send use before signin continue to work — only the catalog creation step is gated. The parent-namespace side-effect path is closed by the same check.

Versions 3.1.0 and later are not affected.

Workarounds

  • Set --deny-arbitrary-query * for guest principals to remove the entry point.
  • Run with --auth and require all callers to signin before issuing use.
  • Revoke namespace-level tokens promptly when a namespace is dropped.

References

@rowan-baker rowan-baker published to surrealdb/surrealdb May 27, 2026
Published to the GitHub Advisory Database Jul 1, 2026
Reviewed Jul 1, 2026
Last updated Jul 1, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS score

Weaknesses

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-wp87-mgvq-5j93

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.