hasura CVE Vulnerabilities & Metrics

Focus on hasura vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About hasura Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with hasura. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total hasura CVEs: 6
Earliest CVE date: 29 Jul 2019, 13:15 UTC
Latest CVE date: 22 Dec 2025, 22:15 UTC

Latest CVE reference: CVE-2021-47715

Rolling Stats

30-day Count (Rolling): 3
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical hasura CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.83

Max CVSS: 5.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS hasura CVEs

These are the five CVEs with the highest CVSS scores for hasura, sorted by severity first and recency.

CVE-2019-1020015 hasura Published on 29 Jul 2019, 13:15 UTC (CVSS: 5.0)
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.
CVE-2021-47715 hasura Published on 22 Dec 2025, 22:15 UTC (CVSS: 0)
Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.
CVE-2021-47714 hasura Published on 22 Dec 2025, 22:15 UTC (CVSS: 0)
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server.
CVE-2021-47713 hasura Published on 22 Dec 2025, 22:15 UTC (CVSS: 0)
Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.
CVE-2023-27588 hasura Published on 14 Mar 2023, 18:15 UTC (CVSS: 0)
Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer ...

All CVEs for hasura

CVE-2021-47715 hasura vulnerability CVSS: 0 22 Dec 2025, 22:15 UTC

Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.

CVE-2021-47714 hasura vulnerability CVSS: 0 22 Dec 2025, 22:15 UTC

Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server.

CVE-2021-47713 hasura vulnerability CVSS: 0 22 Dec 2025, 22:15 UTC

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.

CVE-2023-27588 hasura vulnerability CVSS: 0 14 Mar 2023, 18:15 UTC

Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.

CVE-2022-46792 hasura vulnerability CVSS: 0 08 Dec 2022, 06:15 UTC

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

CVE-2019-1020015 hasura vulnerability CVSS: 5.0 29 Jul 2019, 13:15 UTC

graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.