CVE-2022-46792: n/a in n/a
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
AI Analysis
Technical Summary
CVE-2022-46792 is a high-severity vulnerability affecting the Hasura GraphQL Engine versions prior to 2.15.2, specifically in the Update Many API when used with Postgres backends. The vulnerability arises from improper handling of row-level authorization, classified under CWE-863 (Incorrect Authorization). This flaw allows an attacker with at least some level of privileges (PR:L - privileges required) to bypass intended row-level access controls during bulk update operations. Consequently, an attacker can modify data rows they should not have access to, impacting confidentiality, integrity, and availability of the database records. The vulnerability affects versions from 2.10.0 up to but not including the fixed releases 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are not affected. The CVSS 3.1 base score is 8.8, indicating a high severity due to network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild. The vulnerability is critical for environments where Hasura GraphQL Engine is used as a backend API layer interfacing with Postgres databases, especially in multi-tenant or sensitive data contexts where row-level security is essential. Attackers exploiting this flaw can perform unauthorized data modifications, potentially leading to data corruption, leakage, or denial of service through data integrity compromise.
Potential Impact
For European organizations, the impact of CVE-2022-46792 can be significant, particularly for those relying on Hasura GraphQL Engine as part of their backend infrastructure interfacing with PostgreSQL databases. The vulnerability enables unauthorized modification of data at a granular row level, which can lead to breaches of data confidentiality, unauthorized data alteration, and potential disruption of business processes relying on accurate data. Sectors such as finance, healthcare, public administration, and critical infrastructure that handle sensitive or regulated data are at heightened risk. Exploitation could result in compliance violations under GDPR due to unauthorized data access or modification, leading to legal and financial penalties. Additionally, the integrity loss could undermine trust in digital services and cause operational downtime or data recovery costs. Since the attack requires some level of privileges but no user interaction, insider threats or compromised accounts could be leveraged to exploit this vulnerability, increasing the risk profile for organizations with complex user roles and permissions. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially as threat actors often develop exploits for high-impact vulnerabilities over time.
Mitigation Recommendations
1. Immediate upgrade to one of the fixed Hasura GraphQL Engine versions: 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, or 2.15.2. Ensure all environments, including development, staging, and production, are updated to prevent exploitation. 2. Review and audit all row-level authorization policies configured in Hasura to verify they are correctly enforced, especially in bulk update operations. 3. Implement strict access controls and least privilege principles for users and service accounts interacting with the GraphQL API to minimize the risk from compromised credentials. 4. Monitor API logs for unusual bulk update activities or unauthorized data modifications indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious GraphQL mutation patterns targeting the Update Many API. 6. Conduct penetration testing focusing on authorization bypass scenarios in GraphQL endpoints to identify residual weaknesses. 7. For organizations unable to upgrade immediately, consider temporarily disabling or restricting the Update Many API functionality or limiting its use to trusted internal networks. 8. Maintain an incident response plan that includes steps for rapid containment and remediation if exploitation is detected.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain, Poland, Ireland
CVE-2022-46792: n/a in n/a
Description
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
AI-Powered Analysis
Technical Analysis
CVE-2022-46792 is a high-severity vulnerability affecting the Hasura GraphQL Engine versions prior to 2.15.2, specifically in the Update Many API when used with Postgres backends. The vulnerability arises from improper handling of row-level authorization, classified under CWE-863 (Incorrect Authorization). This flaw allows an attacker with at least some level of privileges (PR:L - privileges required) to bypass intended row-level access controls during bulk update operations. Consequently, an attacker can modify data rows they should not have access to, impacting confidentiality, integrity, and availability of the database records. The vulnerability affects versions from 2.10.0 up to but not including the fixed releases 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are not affected. The CVSS 3.1 base score is 8.8, indicating a high severity due to network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild. The vulnerability is critical for environments where Hasura GraphQL Engine is used as a backend API layer interfacing with Postgres databases, especially in multi-tenant or sensitive data contexts where row-level security is essential. Attackers exploiting this flaw can perform unauthorized data modifications, potentially leading to data corruption, leakage, or denial of service through data integrity compromise.
Potential Impact
For European organizations, the impact of CVE-2022-46792 can be significant, particularly for those relying on Hasura GraphQL Engine as part of their backend infrastructure interfacing with PostgreSQL databases. The vulnerability enables unauthorized modification of data at a granular row level, which can lead to breaches of data confidentiality, unauthorized data alteration, and potential disruption of business processes relying on accurate data. Sectors such as finance, healthcare, public administration, and critical infrastructure that handle sensitive or regulated data are at heightened risk. Exploitation could result in compliance violations under GDPR due to unauthorized data access or modification, leading to legal and financial penalties. Additionally, the integrity loss could undermine trust in digital services and cause operational downtime or data recovery costs. Since the attack requires some level of privileges but no user interaction, insider threats or compromised accounts could be leveraged to exploit this vulnerability, increasing the risk profile for organizations with complex user roles and permissions. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially as threat actors often develop exploits for high-impact vulnerabilities over time.
Mitigation Recommendations
1. Immediate upgrade to one of the fixed Hasura GraphQL Engine versions: 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, or 2.15.2. Ensure all environments, including development, staging, and production, are updated to prevent exploitation. 2. Review and audit all row-level authorization policies configured in Hasura to verify they are correctly enforced, especially in bulk update operations. 3. Implement strict access controls and least privilege principles for users and service accounts interacting with the GraphQL API to minimize the risk from compromised credentials. 4. Monitor API logs for unusual bulk update activities or unauthorized data modifications indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious GraphQL mutation patterns targeting the Update Many API. 6. Conduct penetration testing focusing on authorization bypass scenarios in GraphQL endpoints to identify residual weaknesses. 7. For organizations unable to upgrade immediately, consider temporarily disabling or restricting the Update Many API functionality or limiting its use to trusted internal networks. 8. Maintain an incident response plan that includes steps for rapid containment and remediation if exploitation is detected.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-12-08T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9847c4522896dcbf59ea
Added to database: 5/21/2025, 9:09:27 AM
Last enriched: 6/21/2025, 6:37:26 PM
Last updated: 8/15/2025, 1:43:34 PM
Views: 11
Related Threats
CVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumCVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.