CVE-2021-47748 CRITICAL

CVE-2021-47748: Hasura GraphQL 1.3.3 - Remote Code Execution

Vendor Hasura
Product GraphQL
Weakness CWE-78
Published January 21, 2026
Last update January 22, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
January 22, 2026 Record updated