Vulnerability Description
A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2025-11060
- https://bugzilla.redhat.com/show_bug.cgi?id=2394708
- https://github.com/surrealdb/surrealdb
- https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5
- https://github.com/surrealdb/surrealdb/pull/6247
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc
- https://surrealdb.com/docs/surrealql/statements/live
FAQ
What is CVE-2025-11060?
CVE-2025-11060 is a vulnerability with a CVSS score of 5.7 (MEDIUM). A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing acces...
How severe is CVE-2025-11060?
CVE-2025-11060 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11060?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.