Back to overview

CVE-2026-54698

MEDIUM
6.0
CVSS 4.0
Description
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

Metadata

CVE ID
CVE-2026-54698
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 22:58 UTC
Published
2026-07-07 21:29 UTC
Last updated
2026-07-08 13:02 UTC
Primary CWE
CWE-863
CWE-863: Incorrect Authorization
Vendor / Product
hasura / graphql-engine
Sources
cve.org  ·  NVD

Severity & Metrics

6.0 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
hasura graphql-engine >= 2.46.0, < 2.49.2, >= 2.45.0, < 2.45.5
Weakness (CWE)
CWESourceDescription
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.0 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References (1)
Back to overview