PT-2026-56262 · Hasura · Graphql-Engine

Cipher-Creator

·

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-54698

CVSS v4.0

6.0

Média

VetorAV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some table) to infer row values that ought to be filtered for their role based on some table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54698

Produtos afetados

Graphql-Engine