Skip to main content

Hasura GraphQL Engine EUVDEUVD-2026-42118

| CVE-2026-54698 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-07 GitHub_M
6.0
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible oracle requiring authenticated low-privilege role and iterative query probing (AC:H); pure confidentiality impact with no integrity or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 23:01 EUVD
Analysis Generated
Jul 07, 2026 - 22:14 vuln.today

DescriptionCVE.org

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

AnalysisAI

Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege API role
Delivery
Enumerate GraphQL schema for SETOF computed fields
Exploit
Identify tables with row-level permissions restricting attacker's role
Execution
Craft iterative where-clause predicates targeting filtered rows
Persist
Observe non-empty vs. empty response as boolean oracle
Impact
Reconstruct protected column values via repeated predicate refinement

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions to hold simultaneously: (1) the attacker has a valid low-privilege Hasura role with query access to the GraphQL API (PR:L - authenticated, not anonymous); (2) the Hasura instance exposes at least one table computed field returning SETOF some_table; and (3) row-level permissions are configured on that returned table to suppress certain rows for the attacker's role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) yields a score of 6.0, reflecting genuine confidentiality risk moderated by high attack complexity and a low-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege Hasura role - such as a standard authenticated API user in a multi-tenant application - identifies a table computed field returning SETOF on a table where their role's row-level permissions filter out rows belonging to other tenants. The attacker submits a series of GraphQL queries varying the where-clause string predicate (e.g., column LIKE 'A%', then 'B%', etc.) and observes whether each returns a non-empty result set, using the presence or absence of data as a binary signal. …
Remediation Upgrade Hasura GraphQL Engine to version 2.49.2 or later (v2.49 branch) or to 2.45.5 or later (v2.45 branch) - these are the vendor-confirmed fixed releases per GitHub Security Advisory GHSA-r27x-gc74-qmxh at https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy