CVE-2025-11060

Published: Sep 26, 2025Modified: Sep 26, 2025

5.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.1 / Impact: 3.6

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (7)

https://access.redhat.com/security/cve/CVE-2025-11060

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2394708

Source: secalert@redhat.com

https://github.com/surrealdb/surrealdb

Source: secalert@redhat.com

https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c

Source: secalert@redhat.com

https://github.com/surrealdb/surrealdb/pull/6247

Source: secalert@redhat.com

https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc

Source: secalert@redhat.com

https://surrealdb.com/docs/surrealql/statements/live

Source: secalert@redhat.com

Timeline

No history available yet.