CVE-2026-49997
Severity CVSS v4.0:
Pending analysis
Type:
CWE-285
Improper Authorization
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed graph edge records with permissions disabled through opt.clone().with_perms(false) when a connected node was deleted, bypassing the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses. This issue is fixed in version 3.1.0.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM



