CVE-2025-11060

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

26/09/2025

Last modified:

26/09/2025

Description

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.70 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

5.70

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://access.redhat.com/security/cve/CVE-2025-11060
https://bugzilla.redhat.com/show_bug.cgi?id=2394708
https://github.com/surrealdb/surrealdb
https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c
https://github.com/surrealdb/surrealdb/pull/6247
https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc
https://surrealdb.com/docs/surrealql/statements/live