Hello,
We are writing to notify you of a high-severity security vulnerability in Hasura GraphQL Engine (HGE) that has been fixed in the releases listed below. We strongly urge all self-hosted users to upgrade to a patched version as soon as possible.
Severity: High (CVSS 3.1 base score 7.7) Affected component: Hasura GraphQL Engine (Postgres / Citus backends) Impact: Under certain permission configurations, a low-privileged role could read data that should have been protected by row-level permissions. This is a confidentiality issue only — no data modification is involved. Advisory: GHSA-r27x-gc74-qmxh — https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh CVE: Reservation in progress; the identifier will be included when full details are published.
Patched versions — please upgrade to at least:
What you should do now:
(Hasura-managed / Cloud deployments have already been patched — no action is required for those.)
Disclosure timeline: In line with coordinated-disclosure best practices, we are withholding the technical details of this vulnerability for 7 days (until approximately July 1, 2026) to give self-hosted users time to upgrade. After that window we will publish the full advisory, including the CVE identifier and a description of the issue, via the GitHub Security Advisory linked above on hasura/graphql-engine.
We thank the external security researcher who responsibly reported this issue.
If you have any questions, contact us at sup...@hasura.io.
Regards,
The Hasura Security Team