Skip to content

SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers

High severity GitHub Reviewed Published May 27, 2026 in surrealdb/surrealdb • Updated Jul 1, 2026

Package

cargo surrealdb (Rust)

Affected versions

< 3.1.0

Patched versions

3.1.0

Description

The HTTP /rpc sessions method returned every attached session UUID without authentication, and the /rpc handler accepted an arbitrary session field with no ownership check. An anonymous caller could enumerate UUIDs and impersonate any authenticated session.

"Attached" means sessions registered via {"method":"attach"} — the only writer to the HTTP session map. Ordinary stateless /rpc requests use ephemeral per-request sessions that are filtered from sessions() and destroyed at end-of-request, so they are not enumerable.

Exposure

  • Exposed: clients that issue attach, notably the official Rust SDK's Http/Https engine (auto-attaches once per Surreal handle).
  • Not exposed: REST endpoints (/sql, /key, /signin, /export, etc.); WebSocket /rpc (per-connection scope, attach refused); embedded / MCP usage; ad-hoc POST /rpc callers that never attach.

Impact

For each attached and authenticated session, an unauthenticated attacker can read, write, and delete any data the session can reach, dump metadata, invalidate sessions, and escalate to that session's privilege level (up to root). An attached session that has not yet authenticated is Level::No and confers no privilege.

Patches

  1. HTTP sessions() now returns method_not_allowed. WebSocket retains per-connection enumeration.
  2. The HTTP /rpc handler gates client-supplied session IDs against the caller's request-level auth principal (actor id + level); mismatches return session_not_found.
  3. Attached HTTP sessions are capped via SURREAL_HTTP_MAX_ATTACHED_SESSIONS.

Versions 3.1.0 and later are not affected.

Workarounds

No configuration-level mitigation fully addresses this. For Users unable to upgrade:

  • Avoid SDKs and client flows that call attach against HTTP /rpc (notably the Rust SDK's Http/Https engine). Prefer the WebSocket transport, or REST endpoints (/sql, /signin, /key, /export) which never populate the attached-session map.
  • Restrict /rpc to trusted clients at the network layer.

References

@rowan-baker rowan-baker published to surrealdb/surrealdb May 27, 2026
Published to the GitHub Advisory Database Jul 1, 2026
Reviewed Jul 1, 2026
Last updated Jul 1, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-5qfp-32cf-69jh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.