Access Control Vulnerability in Hasura Open-Source Product
CVE-2026-54698
6MEDIUM
What is CVE-2026-54698?
An access control vulnerability exists in the Hasura GraphQL Engine that allows users to exploit the where clause on table computed fields. Although direct access to filtered row values is not possible, attackers may use string predicates to efficiently brute-force values, undermining row-level permissions configured for certain user roles. This issue can lead to unintended data exposure and has been addressed in versions 2.49.2 and 2.45.5.
Affected Version(s)
graphql-engine >= 2.46.0, < 2.49.2 < 2.46.0, 2.49.2
graphql-engine >= 2.45.0, < 2.45.5 < 2.45.0, 2.45.5
