Primary

Context

Hasura GraphQL Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Hasura GraphQL version 1.3.3. This issue allows attackers to execute arbitrary shell commands by manipulating SQL queries. The vulnerability is exploited through the run_sql endpoint, where crafted GraphQL queries can inject commands that are executed via PostgreSQL's COPY FROM PROGRAM functionality.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where Hasura GraphQL is running.

Reproduction

To reproduce this vulnerability, send a POST request to the Hasura GraphQL server's run_sql endpoint with a GraphQL query that includes the COPY command. The injected command will be executed on the server, and the output can be retrieved by querying the appropriate table.

Added: Jan 21, 2026, 6:39 PM

Updated: Jan 21, 2026, 6:39 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

10.0

exploitability

9.5

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

10.0

exploitability

9.5

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hasura GraphQL Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Hasura GraphQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating