Skip to content

SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field

Moderate severity GitHub Reviewed Published Jun 19, 2026 in surrealdb/surrealdb • Updated Jun 19, 2026

Package

cargo surrealdb (Rust)

Affected versions

>= 3.0.0, < 3.1.5

Patched versions

3.1.5

Description

A field can be hidden from a user with a field-level SELECT permission (DEFINE FIELD code ON secret PERMISSIONS FOR select WHERE owner = $auth.id). When that field is indexed, a record user who cannot read it could still recover the relative ordering of its values across every record by issuing ORDER BY <field>: the field came back null as intended, but the rows were returned in the hidden values' true sorted order.

To satisfy the sort, the planner selects the field's index and walks it in value order; the field-level permission is applied later, when the row is projected, so the value is nulled but the row order already encodes it. The guard that withholds restricted fields from the WHERE path was never applied to ORDER BY.

Impact

What an attacker can do:

  • As a record (scope) user with table SELECT, learn the relative ordering of a field hidden by a field-level SELECT permission, across other users' records, by ordering on it when an index covers the field — the value returns null, but the rows come back in the hidden values' order.
  • With rows they control in the same table, use that ordering to narrow the hidden values toward exact ones.

What it can't do:

  • Read the field value directly — only its relative ordering leaks; the projected value is correctly redacted.
  • Cross table, record, or namespace/database boundaries — the table's SELECT permission and any row-level WHERE are still enforced, so only records the caller may already read are ordered.
  • Leak anything when the restricted field is not indexed, affect root or record-owner sessions, or modify data (confidentiality only).

Patches

The query planner now applies the field-permission guard to the ORDER BY clause as well as the WHERE clause. When an ordered field is hidden from the caller by a field-level SELECT permission, the index sort pushdown is withheld and the rows are sorted after redaction instead, so the row order no longer reflects the hidden values. The dynamic-scan fallback is closed the same way, and a regression test was added.

The fix is included in SurrealDB 3.1.5.

Workarounds

Users unable to upgrade are advised to consider the following:

  • Force the legacy executor with SURREAL_PLANNER_STRATEGY=compute-only; the sort then runs after redaction, so no ordering leaks.
  • Do not place an index on a field whose values are hidden by a field-level SELECT permission — without the index the leak does not occur.
  • Do not rely on field-level SELECT permissions to hide values on indexed fields from record users; restrict at the table level instead.
  • Use namespace / database isolation as the primary trust boundary where feasible.

References

Acknowledgements

Thanks to George Chen (@geo-chen) for finding and reporting this issue.

References

@rushmorem rushmorem published to surrealdb/surrealdb Jun 19, 2026
Published to the GitHub Advisory Database Jun 19, 2026
Reviewed Jun 19, 2026
Last updated Jun 19, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS score

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-h4h3-3rfj-x6fq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.