Critical Vulnerability in Hasura GraphQL Engine v2.10.0-v2.15

On November 21st, Hasura discovered a critical security vulnerability in its GraphQL Engine "Update Many" API, affecting versions 2.10.0 to 2.15. The issue was identified by Morten Hillbom and Issaaf Kattan from Nhost's customer company Celsia.io. A Missing Authorization vulnerability allowed users to expand update capabilities on row level authorization for Postgres datastores. Hasura has released patches for all impacted versions, removed vulnerable versions from docker hub, and is taking steps to improve its security processes and communication channels.