In SurrealDB, records can be connected as a graph: a RELATE statement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent.
A user with permission to delete a node could also delete the edges connected to that node, even when the edge table's PERMISSIONS FOR delete clause should have stopped them.
The automatic edge removal (Document::purge_edges) ran with permissions disabled (opt.clone().with_perms(false)), so the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses were never consulted. The removal step could also observe edge state that the edge's SELECT clause should have hidden.
Impact
What an attacker can do:
- Delete any edge connected to a node they can delete, regardless of the edge table's
PERMISSIONS FOR delete clause.
- Observe edge contents that
PERMISSIONS FOR select should have hidden, as a side effect of the same edge-removal step.
What it can't do:
- Delete nodes on tables they do not hold
DELETE on (the edge removal only runs from an authorised node delete).
- Cross namespace or database isolation boundaries.
- Escalate to root or operator-level privileges.
Patches
Document::purge_edges now propagates the caller's permission context into the edge removal. Each connected edge DELETE is evaluated against the edge table's PERMISSIONS FOR delete clause, matching a direct DELETE.
Versions 3.1.0 and later are not affected.
Workarounds
- Restrict node
DELETE permission to principals trusted to delete all connected edge records.
- Use namespace or database isolation as the primary boundary where edge-level
PERMISSIONS is load-bearing for multi-tenant separation.
References
In SurrealDB, records can be connected as a graph: a
RELATEstatement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent.A user with permission to delete a node could also delete the edges connected to that node, even when the edge table's
PERMISSIONS FOR deleteclause should have stopped them.The automatic edge removal (
Document::purge_edges) ran with permissions disabled (opt.clone().with_perms(false)), so the edge table'sPERMISSIONS FOR deleteandPERMISSIONS FOR selectclauses were never consulted. The removal step could also observe edge state that the edge's SELECT clause should have hidden.Impact
What an attacker can do:
PERMISSIONS FOR deleteclause.PERMISSIONS FOR selectshould have hidden, as a side effect of the same edge-removal step.What it can't do:
DELETEon (the edge removal only runs from an authorised node delete).Patches
Document::purge_edgesnow propagates the caller's permission context into the edge removal. Each connected edgeDELETEis evaluated against the edge table'sPERMISSIONS FOR deleteclause, matching a directDELETE.Versions 3.1.0 and later are not affected.
Workarounds
DELETEpermission to principals trusted to delete all connected edge records.PERMISSIONSis load-bearing for multi-tenant separation.References