87 matches found
CVE-2026-54698
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...
CVE-2026-54698 Hasura: Row-level authorization bypass on table computed fields
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...
CVE-2026-54698
Hasura CVE-2026-54698 describes a row-level authorization bypass on table computed fields. Before versions 2.49.2 and 2.45.5, a user could use a where clause on a table computed field (returning SETOF some_table) to infer rows that should be filtered for their role according to some_table’s row-l...
CVE-2026-54698
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...
CVE-2026-54698 Hasura: Row-level authorization bypass on table computed fields
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field returning SETOF sometable to infer row values that ought to be filtered for their role based on sometable's row-level permissions. While...
PT-2026-56262
Name of the Vulnerable Software and Affected Versions Hasura versions prior to 2.49.2 Hasura versions prior to 2.45.5 Description A flaw exists where a user can employ a where clause on a table computed field that returns SETOF some table to infer row values. This occurs even when those rows shou...
CVE-2026-57951
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
EUVD-2026-40168
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
CVE-2026-57951 Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
PT-2026-53669
Name of the Vulnerable Software and Affected Versions Mythic versions prior to 3.4.0.60 Description A broken Hasura permission filter exists on the payload build step table. This issue involves an always-satisfied or condition that bypasses operation-scoped access controls. Consequently,...
CVE-2021-47748
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748 Hasura GraphQL 1.3.3 - Remote Code Execution
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
EUVD-2026-3661
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748 Hasura GraphQL 1.3.3 - Remote Code Execution
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...
CVE-2021-47748
CVE-2021-47748 concerns Hasura GraphQL 1.3.3, describing a remote code execution via SQL query manipulation. Attackers can inject commands into the run_sql endpoint, leveraging PostgreSQL COPY FROM PROGRAM to execute system commands. Connected sources corroborate the RCE vector and affected compo...
PT-2026-3794
Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3 Description Hasura GraphQL version 1.3.3 contains a remote code execution issue. Attackers can execute arbitrary shell commands through SQL query manipulation. The issue allows command injection into the run sql...
Hasura GraphQL Engine: Operating System Command Injection Vulnerability
Hasura GraphQL Engine is a very fast GraphQL server developed by Hasura as open source. Version 1.3.3 of Hasura GraphQL Engine contains a vulnerability related to operating system command injection. This vulnerability stems from SQL queries that allow remote code execution, potentially enabling t...
CVE-2021-47714
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pgreadfile PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server...
EUVD-2021-34746
Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resource...