Auth bypass in Hasura Graphql-engine
CVE-2026-54698
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for t…
Vulnerability class: Broken Access Control
Affected products
- Hasura Graphql-engine — versions >= 2.46.0, < 2.49.2, >= 2.45.0, < 2.45.5
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)