CVE-2026-54698 in graphql-engineinformação

Sumário

de MITRE • 08/07/2026

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsável

GitHub M

Reservar

16/06/2026

Divulgação

08/07/2026

Moderação

aceite

Entrada

VDB-376704

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Do you know our Splunk app?

Download it now for free!