Impact
Affected server versions are v1.2.0-beta.5, v1.2.0 and only when HASURA_GRAPHQL_UNAUTHORIZED_ROLE is set. Unauthenticated users can run API calls as any role by setting a x-hasura-role header.
To know if you were affected, please check your logs for API calls with x-hasura-role values for queries you did not expect. If you've followed guidelines from the Hasura production checklist, the impact would have been significantly reduced. If you need help in assessing the impact, please reach out to us via the the contact information below.
Patches
A patch has been released as v1.2.1. Please upgrade to this version immediately.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].
Please follow our security mailing list to stay updated with advisories. More information about security vulnerability reporting and disclosure can be found in our docs.
Impact
Affected server versions are
v1.2.0-beta.5,v1.2.0and only whenHASURA_GRAPHQL_UNAUTHORIZED_ROLEis set. Unauthenticated users can run API calls as any role by setting ax-hasura-roleheader.To know if you were affected, please check your logs for API calls with
x-hasura-rolevalues for queries you did not expect. If you've followed guidelines from the Hasura production checklist, the impact would have been significantly reduced. If you need help in assessing the impact, please reach out to us via the the contact information below.Patches
A patch has been released as
v1.2.1. Please upgrade to this version immediately.For more information
If you have any questions or comments about this advisory, please email us at [email protected].
Please follow our security mailing list to stay updated with advisories. More information about security vulnerability reporting and disclosure can be found in our docs.