CVE-2026-54698 in graphql-engineinfo

Summary

by MITRE • 07/08/2026

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability affects Hasura GraphQL engines version prior to 2.49.2 and 2.45.5, representing a significant information disclosure flaw that enables unauthorized data inference through crafted query operations. The vulnerability specifically targets computed fields that return SETOF some_table types within the database schema, creating an indirect but exploitable pathway for privilege escalation and data leakage. Attackers can leverage the where clause functionality on these computed fields to perform oracle-based inference attacks, effectively bypassing normal row-level security measures that should protect sensitive data from unauthorized access.

The technical implementation of this vulnerability stems from insufficient validation of where clause operations on computed fields that return table sets. When a user constructs a query using a where clause against such computed fields, the system's response behavior differs between valid and invalid filter conditions, creating an oracle that attackers can exploit through brute force techniques. This mechanism allows adversaries to systematically test various values and observe response variations to determine which rows would be filtered out based on the underlying table's row-level permissions. The vulnerability fundamentally undermines Hasura's access control mechanisms by enabling attackers to infer the existence and characteristics of data that should remain hidden due to permission restrictions.

The operational impact of this vulnerability extends beyond simple information disclosure, as it potentially enables attackers to reconstruct sensitive data patterns and access control boundaries within the database. This type of inference attack is particularly dangerous because it operates at the query level rather than through direct data retrieval, making detection more challenging for security monitoring systems. The vulnerability affects the core GraphQL API functionality that organizations rely on for secure data access, potentially exposing confidential information that should be restricted to authorized users only. Organizations using Hasura without the patched versions face a heightened risk of unauthorized data exposure and potential compliance violations.

This vulnerability aligns with CWE-200 (Information Exposure) and represents a variant of privilege escalation through inference attacks that can be categorized under ATT&CK technique T1213.002 (Data from Information Repositories). The fix implemented in versions 2.49.2 and 2.45.5 addresses the root cause by strengthening validation mechanisms for where clause operations on computed fields, ensuring that such queries cannot be used as oracles for data inference attacks. Organizations should immediately update to these patched versions and conduct thorough security assessments of their Hasura implementations. Additionally, implementing comprehensive monitoring for unusual query patterns and maintaining up-to-date security patches represents critical mitigation strategies to prevent exploitation of similar vulnerabilities in other database access systems.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!