CVE-2026-54698

MEDIUM

Hasura: Row-level authorization bypass on table computed fields

Title source: cna
STIX 2.1

Description

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

References (1)

Core 1
Core References

Scores

CVSS v4 6.0
EPSS 0.0017
EPSS Percentile 6.6%
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (2)
hasura/graphql-engine >= 2.45.0, < 2.45.5
hasura/graphql-engine >= 2.46.0, < 2.49.2
Published Jul 07, 2026
Tracked Since Jul 08, 2026