CVE-2026-54698

CVE-2026-54698 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.

Key facts

Description

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.

Frequently asked questions

What is CVE-2026-54698?
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
How severe is CVE-2026-54698?
CVE-2026-54698 has a CVSS 4.0 base score of 6.0, rated medium severity.
Is CVE-2026-54698 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-54698?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2026-54698 published?
CVE-2026-54698 was published on 2026-07-07 and last updated on 2026-07-08.

References

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →