affected published on 18 Dec 2025 CVE-2025-11060 5.7 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 4 days, 23 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month ago @LeSuisse removed package surrealdb-migrations 4 days, 23 hours ago @LeSuisse accepted as draft 4 days, 23 hours ago @LeSuisse update 4 days, 23 hours ago update Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records. Affected products surrealdb <2.1.9 <3.3.0-alpha.7 <2.2.8 <2.3.8 openshift-service-mesh/istio-cni-rhel9 openshift-service-mesh/istio-pilot-rhel9 openshift-service-mesh/istio-proxyv2-rhel9 openshift-service-mesh/istio-rhel9-operator openshift-service-mesh/istio-must-gather-rhel9 openshift-service-mesh/istio-sail-operator-bundle openshift-service-mesh-tech-preview/istio-ztunnel-rhel9 openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 Matching in nixpkgs pkgs.surrealdb Scalable, distributed, collaborative, document-graph database, for the realtime web nixos-25.05 2.3.2 nixpkgs-25.05-darwin 2.3.2 nixos-25.05-small 2.3.2 nixos-unstable 2.3.8 nixos-unstable-small 2.3.8 nixpkgs-unstable 2.3.8 Package maintainers: 3 @sikmir Nikolay Korotkiy <sikmir@disroot.org> @happysalada Raphael Megzari <raphael@megzari.com> @siriobalmelli Sirio Balmelli <sirio@b-ad.ch>
CVE-2025-11060 5.7 MEDIUM CVSS version: 3.1 Attack vector (AV): NETWORK Attack complexity (AC): LOW Privileges required (PR): LOW User interaction (UI): REQUIRED Scope (S): UNCHANGED Confidentiality impact (C): HIGH Integrity impact (I): NONE Availability impact (A): NONE updated 4 days, 23 hours ago by @LeSuisse Activity log Created automatic suggestion 1 month ago @LeSuisse removed package surrealdb-migrations 4 days, 23 hours ago @LeSuisse accepted as draft 4 days, 23 hours ago @LeSuisse update 4 days, 23 hours ago update Surrealdb: surrealdb is vulnerable to unauthorized data exposure via live query subscriptions A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records. Affected products surrealdb <2.1.9 <3.3.0-alpha.7 <2.2.8 <2.3.8 openshift-service-mesh/istio-cni-rhel9 openshift-service-mesh/istio-pilot-rhel9 openshift-service-mesh/istio-proxyv2-rhel9 openshift-service-mesh/istio-rhel9-operator openshift-service-mesh/istio-must-gather-rhel9 openshift-service-mesh/istio-sail-operator-bundle openshift-service-mesh-tech-preview/istio-ztunnel-rhel9 openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 Matching in nixpkgs pkgs.surrealdb Scalable, distributed, collaborative, document-graph database, for the realtime web nixos-25.05 2.3.2 nixpkgs-25.05-darwin 2.3.2 nixos-25.05-small 2.3.2 nixos-unstable 2.3.8 nixos-unstable-small 2.3.8 nixpkgs-unstable 2.3.8 Package maintainers: 3 @sikmir Nikolay Korotkiy <sikmir@disroot.org> @happysalada Raphael Megzari <raphael@megzari.com> @siriobalmelli Sirio Balmelli <sirio@b-ad.ch>
pkgs.surrealdb Scalable, distributed, collaborative, document-graph database, for the realtime web nixos-25.05 2.3.2 nixpkgs-25.05-darwin 2.3.2 nixos-25.05-small 2.3.2 nixos-unstable 2.3.8 nixos-unstable-small 2.3.8 nixpkgs-unstable 2.3.8