Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hasura
Hasura graphql Engine |
|
| Vendors & Products |
Hasura
Hasura graphql Engine |
Tue, 07 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5. | |
| Title | Hasura: Row-level authorization bypass on table computed fields | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T13:02:17.049Z
Reserved: 2026-06-15T22:58:06.562Z
Link: CVE-2026-54698
Updated: 2026-07-08T13:01:57.956Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T15:45:03Z