PT-2026-56262 · Hasura · Graphql-Engine
Cipher-Creator
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-54698
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some table) to infer row values that ought to be filtered for their role based on some table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Graphql-Engine