Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible oracle requiring authenticated low-privilege role and iterative query probing (AC:H); pure confidentiality impact with no integrity or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
AnalysisAI
Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all three of the following conditions to hold simultaneously: (1) the attacker has a valid low-privilege Hasura role with query access to the GraphQL API (PR:L - authenticated, not anonymous); (2) the Hasura instance exposes at least one table computed field returning SETOF some_table; and (3) row-level permissions are configured on that returned table to suppress certain rows for the attacker's role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) yields a score of 6.0, reflecting genuine confidentiality risk moderated by high attack complexity and a low-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege Hasura role - such as a standard authenticated API user in a multi-tenant application - identifies a table computed field returning SETOF on a table where their role's row-level permissions filter out rows belonging to other tenants. The attacker submits a series of GraphQL queries varying the where-clause string predicate (e.g., column LIKE 'A%', then 'B%', etc.) and observes whether each returns a non-empty result set, using the presence or absence of data as a binary signal. … |
| Remediation | Upgrade Hasura GraphQL Engine to version 2.49.2 or later (v2.49 branch) or to 2.45.5 or later (v2.45 branch) - these are the vendor-confirmed fixed releases per GitHub Security Advisory GHSA-r27x-gc74-qmxh at https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Graphql Engine
View allHasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. Rat
Hasura is an open-source product that provides users GraphQL or REST APIs. Rated high severity (CVSS 7.5), this vulnerab
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. Rated
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42118