๐Ÿ” CVE Alert

CVE-2026-54698

UNKNOWN 0.0

Hasura: Row-level authorization bypass on table computed fields

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

CWE CWE-863
Vendor hasura
Product graphql-engine
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for hasura graphql-engine

Be the first to know when new unknown vulnerabilities affecting hasura graphql-engine are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

hasura / graphql-engine
>= 2.46.0, < 2.49.2 >= 2.45.0, < 2.45.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh