CVE-2025-11060

medium

Description

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

References

https://surrealdb.com/docs/surrealql/statements/live

https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc

https://github.com/surrealdb/surrealdb/pull/6247

https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c

https://github.com/surrealdb/surrealdb

https://bugzilla.redhat.com/show_bug.cgi?id=2394708

https://access.redhat.com/security/cve/CVE-2025-11060

Details

Source: Mitre, NVD

Published: 2025-09-26

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00032