Home

Description

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

PUBLISHED Reserved 2025-09-26 | Published 2025-09-26 | Updated 2025-09-26 | Assigner redhat




MEDIUM: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

Incorrect Authorization

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2025-09-11:Reported to Red Hat.
2025-09-11:Made public.

References

access.redhat.com/security/cve/CVE-2025-11060 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2394708 (RHBZ#2394708) issue-tracking

github.com/surrealdb/surrealdb

github.com/...ommit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c

github.com/surrealdb/surrealdb/pull/6247

github.com/...realdb/security/advisories/GHSA-7vm2-j586-vcvc

surrealdb.com/docs/surrealql/statements/live

cve.org (CVE-2025-11060)

nvd.nist.gov (CVE-2025-11060)

Download JSON