Access Control Vulnerability in Hasura Open-Source Product
CVE-2026-54698

6MEDIUM

Key Information:

Vendor

Hasura

Vendor
CVE Published:
7 July 2026

What is CVE-2026-54698?

An access control vulnerability exists in the Hasura GraphQL Engine that allows users to exploit the where clause on table computed fields. Although direct access to filtered row values is not possible, attackers may use string predicates to efficiently brute-force values, undermining row-level permissions configured for certain user roles. This issue can lead to unintended data exposure and has been addressed in versions 2.49.2 and 2.45.5.

Affected Version(s)

graphql-engine >= 2.46.0, < 2.49.2 < 2.46.0, 2.49.2

graphql-engine >= 2.45.0, < 2.45.5 < 2.45.0, 2.45.5

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.