2 matches found
CVE-2026-63309 SurrealDB < 3.1.5 Information Disclosure via ORDER BY
SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records...
CVE-2026-63309
CVE-2026-63309 affects SurrealDB prior to 3.1.5. The issue occurs because field-level SELECT permissions are not applied to ORDER BY clauses, allowing authenticated users to infer the relative ordering of restricted-field values. Attackers can issue ORDER BY queries on indexed restricted fields t...