SurrealDB's Trojan Horse: The Confused Deputy in Future Fields
Jan 23, 2026·6 min read·23 visits
Executive Summary (TL;DR)
SurrealDB allows users to define 'future' fields and functions that execute dynamically. Prior to version 2.5.0, this logic executed with the permissions of the *invoking* user, not the *creating* user. An attacker with basic 'Edit' rights can define a field that creates a Root user, wait for an actual Root admin to query that field, and effectively hijack the database using the admin's own credentials.
A critical Confused Deputy vulnerability in SurrealDB allows low-privileged users to plant malicious logic in database schemas (Functions, Future Fields) that subsequently executes with the high privileges of any administrator who interacts with them. This results in total system compromise via privilege escalation.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
SurrealDB SurrealDB | < 2.5.0 | 2.5.0 |
SurrealDB SurrealDB | < 3.0.0-beta.3 | 3.0.0-beta.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-269 |
| CWE Name | Improper Privilege Management |
| Attack Vector | Network (Authenticated) |
| CVSS | 7.5 (High) |
| Impact | Privilege Escalation / RCE |
| Exploit Status | PoC Available |
| Patch Commit | f515c91363ee735aa1bc08580d9e7fa0de6e736f |
MITRE ATT&CK Mapping
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.