{"id":"CVE-2022-46792","details":"Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)","modified":"2026-04-10T04:52:45.293051Z","published":"2022-12-08T06:15:08.940Z","related":["GHSA-g7mj-g7f4-hgrg"],"references":[{"type":"ADVISORY","url":"https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/"},{"type":"FIX","url":"https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg"},{"type":"FIX","url":"https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hasura/graphql-engine","events":[{"introduced":"fb4faa68b64d14b856b9b7e5dde1a0c0334ac7ff"},{"fixed":"d15e855a2fa3f93db363519c011802a61709a2e4"},{"introduced":"9f0aaf2423b732f180d47ddc155d53a7f3567342"},{"fixed":"e6b3f48aeeb7fc46878655a3bc1939baa98667a6"},{"introduced":"d9eaeb6f778d1a793e633cbc5e5d26d3e8689e2d"},{"fixed":"e9ad75fbecc8425ad7448785f50472788bc2a860"},{"introduced":"811fbf1b50bd781a663ba9c9778067fa8edcf2de"},{"fixed":"69d7564d1b61e55152b87c7197b766f842540d1b"},{"introduced":"0"},{"last_affected":"2660015787a4de2aa52fe67e56fb90efc90148b8"},{"introduced":"0"},{"last_affected":"cc11528352ce069cb0aa79754c6aed65991d341e"}],"database_specific":{"versions":[{"introduced":"2.10.0"},{"fixed":"2.10.2"},{"introduced":"2.11.0"},{"fixed":"2.11.3"},{"introduced":"2.13.0"},{"fixed":"2.13.2"},{"introduced":"2.15.0"},{"fixed":"2.15.2"},{"introduced":"0"},{"last_affected":"2.12.0-NA"},{"introduced":"0"},{"last_affected":"2.14.0-NA"}]}}],"versions":["cli/v2.1.0","cli/v2.1.1","cli/v2.10.0","cli/v2.10.0-beta.1","cli/v2.10.1","cli/v2.11.0","cli/v2.11.0-beta.1","cli/v2.11.1","cli/v2.11.2","cli/v2.12.0","cli/v2.12.0-beta.1","cli/v2.13.0","cli/v2.13.1","cli/v2.14.0","cli/v2.14.0-beta.1","cli/v2.14.0-beta.2","cli/v2.15.0","cli/v2.15.1","cli/v2.15.2","cli/v2.2.0","cli/v2.8.0-beta.1","cli/v2.9.0-beta.1","v1.0.0-alpha0","v1.0.0-alpha01","v1.0.0-alpha02","v1.0.0-alpha03","v1.0.0-alpha04","v1.0.0-alpha05","v1.0.0-alpha06","v1.0.0-alpha07","v1.0.0-alpha08","v1.0.0-alpha09","v1.0.0-alpha10","v1.0.0-alpha11","v1.0.0-alpha12","v1.0.0-alpha13","v1.0.0-alpha14","v1.0.0-alpha15","v1.0.0-alpha16","v1.0.0-alpha17","v1.0.0-alpha18","v1.0.0-alpha20","v1.0.0-alpha21","v1.0.0-alpha22","v1.0.0-alpha23","v1.0.0-alpha24","v1.0.0-alpha25","v1.0.0-alpha26","v1.0.0-alpha27","v1.0.0-alpha28","v1.0.0-alpha29","v1.0.0-alpha30","v1.0.0-alpha31","v1.0.0-alpha32","v1.0.0-alpha33","v1.0.0-alpha34","v1.0.0-alpha35","v1.0.0-alpha36","v1.0.0-alpha37","v1.0.0-alpha38","v1.0.0-alpha39","v1.0.0-alpha40","v1.0.0-alpha41","v1.0.0-alpha42","v1.0.0-alpha43","v1.0.0-alpha44","v1.0.0-alpha45","v1.0.0-beta.1","v1.0.0-beta.10","v1.0.0-beta.2","v1.0.0-beta.3","v1.0.0-beta.4","v1.0.0-beta.5","v1.0.0-beta.6","v1.0.0-beta.7","v1.0.0-beta.8","v1.0.0-beta.9","v1.0.0-rc.1","v2.0.0-alpha.3","v2.0.0-alpha.4","v2.0.0-alpha.7","v2.0.0-beta.1","v2.0.1","v2.0.7","v2.0.8","v2.1.0","v2.1.0-beta.1","v2.1.0-beta.3","v2.10.0","v2.10.0-beta.1","v2.10.1","v2.11.0","v2.11.0-beta.1","v2.11.1","v2.11.2","v2.12.0","v2.12.0-beta.1","v2.13.0","v2.13.1","v2.14.0","v2.14.0-beta.1","v2.14.0-beta.2","v2.15.0","v2.15.1","v2.2.0","v2.3.0-beta.1","v2.4.0-beta.2","v2.8.0-beta.1","v2.9.0-beta.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.12.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.14.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.14.0-beta2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}