216.73.217.98

CVE-2026-54698

· Published 08/07/2026 00:16 · Author: The MITRE Corporation

Labels: CVE-2026-54698

Essential information

Published
08/07/2026 00:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
6.0 MEDIUM (v4.0)
CISA KEV
No
CWE
CWE-863
CVSS vector

CVSS metrics

Description

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

NVD status

NVD
View on NVD