Auth bypass in Hasura Graphql-engine

CVE-2026-54698

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for t…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References