Comprehensive Technical Analysis of EUVD-2026-3661 (CVE-2021-47748)

Hasura GraphQL Remote Code Execution (RCE) Vulnerability

1. Vulnerability Assessment & Severity Evaluation

Overview

EUVD-2026-3661 (CVE-2021-47748) is a critical remote code execution (RCE) vulnerability in Hasura GraphQL Engine v1.3.3, allowing unauthenticated attackers to execute arbitrary shell commands via SQL query manipulation in the run_sql endpoint. The flaw stems from improper sanitization of user-controlled input in GraphQL queries, enabling exploitation of PostgreSQL’s COPY FROM PROGRAM functionality.

CVSS v4.0 Severity Breakdown

Metric	Value	Explanation
Attack Vector (AV)	Network (N)	Exploitable remotely over the internet.
Attack Complexity (AC)	Low (L)	No specialized conditions required.
Attack Requirements (AT)	None (N)	No prior access or privileges needed.
Privileges Required (PR)	None (N)	Unauthenticated exploitation possible.
User Interaction (UI)	None (N)	No user interaction required.
Vulnerable Component (VC)	High (H)	Full compromise of the GraphQL engine.
Vulnerable Integrity (VI)	High (H)	Arbitrary command execution affects data integrity.
Vulnerable Availability (VA)	High (H)	Potential for denial-of-service (DoS) or system takeover.
Subsequent Confidentiality (SC)	None (N)	No additional confidentiality impact beyond initial RCE.
Subsequent Integrity (SI)	None (N)	No further integrity impact beyond initial RCE.
Subsequent Availability (SA)	None (N)	No additional availability impact beyond initial RCE.

Base Score: 9.3 (Critical) The vulnerability is highly exploitable with no authentication required, leading to full system compromise. The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) confirms its critical severity, aligning with real-world exploitation trends.

---

2. Potential Attack Vectors & Exploitation Methods

Exploitation Mechanism

The vulnerability arises from improper input validation in Hasura’s run_sql endpoint, which allows arbitrary SQL execution via GraphQL mutations. Attackers exploit this by:

1. Crafting a malicious GraphQL query that injects a PostgreSQL COPY FROM PROGRAM command.
2. Executing system commands via the PostgreSQL backend, which runs with the privileges of the Hasura service.

Exploitation Steps

1. Identify Target: Confirm the target runs Hasura GraphQL Engine v1.3.3 (or vulnerable versions).
2. Send Malicious Query:

   mutation {
     run_sql(
       sql: "COPY (SELECT 1) FROM PROGRAM 'id; whoami; uname -a'"
     ) {
       result
     }
   }
   

   • The COPY FROM PROGRAM directive executes shell commands on the underlying OS.
3. Achieve RCE: Commands run with the privileges of the PostgreSQL/Hasura service (often postgres or root in misconfigured deployments).

Exploit Availability

• Proof-of-Concept (PoC): Available on Exploit-DB (ID: 49802).
• Automated Exploits: Likely integrated into Metasploit, Nuclei, or custom scripts for red teaming.

Post-Exploitation Impact

• Lateral Movement: If PostgreSQL has elevated privileges, attackers can escalate to host compromise.
• Data Exfiltration: Dump database contents, steal credentials, or exfiltrate sensitive data.
• Persistence: Deploy backdoors (e.g., reverse shells, cron jobs).
• Denial-of-Service (DoS): Crash the service or delete critical files.

---

3. Affected Systems & Software Versions

Vulnerable Software

Vendor	Product	Affected Versions	Fixed Versions
Hasura	GraphQL Engine	1.3.3 (and likely earlier)	1.3.4+ (patch not explicitly documented)

Deployment Scenarios at Risk

• Cloud Deployments: Hasura instances exposed to the internet (e.g., AWS, GCP, Azure).
• On-Premises: Internal Hasura instances with misconfigured access controls.
• Containerized Environments: Docker/Kubernetes deployments with exposed GraphQL endpoints.
• API Gateways: Hasura used as a backend for microservices with insufficient input validation.

Detection Methods

• Network Scanning: Identify Hasura instances via:

  nmap -p 8080 --script http-title -sV <target> | grep "Hasura"
  

• Version Fingerprinting: Check /v1/version endpoint for version 1.3.3.
• Log Analysis: Monitor for suspicious run_sql queries containing COPY FROM PROGRAM.

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade Hasura:
   • Apply the latest patch (if available) or upgrade to Hasura v2.x, which includes security hardening.
   • If upgrading is not feasible, disable the run_sql endpoint via configuration:

     # hasura-config.yaml
     enabled_apis:
       - graphql
       - metadata
       # Remove 'run_sql' from the list
     

2. Network-Level Protections:
   • Restrict Access: Use firewalls, WAFs (e.g., Cloudflare, AWS WAF), or API gateways to block malicious queries.
   • Rate Limiting: Implement GraphQL query depth limiting to prevent complex payloads.
3. PostgreSQL Hardening:
   • Disable COPY FROM PROGRAM:

     ALTER SYSTEM SET allow_system_table_mods = off;
     ALTER SYSTEM SET allow_system_table_mods = 'off';
     

   • Least Privilege: Run PostgreSQL with a non-root user and restrict file system access.
4. Monitoring & Detection:
   • SIEM Integration: Alert on run_sql queries containing COPY, PROGRAM, or shell metacharacters (;, |, &).
   • File Integrity Monitoring (FIM): Detect unauthorized file changes from RCE.

Long-Term Recommendations

• Input Validation: Enforce strict GraphQL query validation to block dangerous SQL patterns.
• Zero Trust Architecture: Assume breach; segment Hasura deployments from critical systems.
• Regular Audits: Conduct penetration testing and code reviews for GraphQL endpoints.
• Vendor Communication: Monitor Hasura’s security advisories for updates.

---

5. Impact on the European Cybersecurity Landscape

Regulatory & Compliance Risks

• GDPR (General Data Protection Regulation):
  • Article 32: Requires "appropriate technical measures" to prevent unauthorized access. RCE in Hasura could lead to data breaches, triggering fines up to €20M or 4% of global revenue.
  • Article 33: Mandates 72-hour breach notification if RCE leads to data exposure.
• NIS2 Directive (Network and Information Security):
  • Critical infrastructure (e.g., finance, healthcare, energy) using Hasura must report incidents and implement risk management measures.
• DORA (Digital Operational Resilience Act):
  • Financial entities must ensure third-party risk management, including vulnerabilities in GraphQL backends.

Threat Actor Targeting

• State-Sponsored Actors: Likely to exploit RCE for espionage (e.g., APT29, Sandworm).
• Cybercriminals: Ransomware groups (e.g., LockBit, BlackCat) may use RCE for initial access.
• Hacktivists: Target EU government or corporate Hasura instances for defacement or data leaks.

Sector-Specific Risks

Sector	Potential Impact
Finance	Theft of PII, transaction manipulation, regulatory penalties.
Healthcare	HIPAA/GDPR violations, patient data exposure.
Government	Espionage, disruption of public services.
E-Commerce	Payment fraud, customer data breaches.
Critical Infrastructure	Operational disruption (e.g., energy, transport).

EU-Specific Mitigation Efforts

• ENISA (European Union Agency for Cybersecurity):
  • Should publish advisories and coordinate patching across member states.
• CERT-EU:
  • Issue threat intelligence reports on Hasura exploitation trends.
• National CSIRTs:
  • Conduct vulnerability scanning and awareness campaigns for affected organizations.

---

6. Technical Details for Security Professionals

Root Cause Analysis

• Vulnerability Class: Improper Neutralization of Special Elements (CWE-74).
• Code Flow:
  1. User submits a GraphQL mutation to run_sql.
  2. Hasura forwards the SQL query to PostgreSQL without sanitization.
  3. PostgreSQL executes COPY FROM PROGRAM, running arbitrary shell commands.
• Exploit Primitives:
  • Command Injection: Via COPY FROM PROGRAM.
  • Privilege Escalation: If PostgreSQL runs as root or has sudo access.

Exploit Chaining Opportunities

1. Initial Access:
   • Exploit RCE to gain a reverse shell (e.g., via nc -lvnp 4444).
2. Lateral Movement:
   • Dump PostgreSQL credentials (pg_dump).
   • Pivot to other systems via SSH keys or Kerberos tickets.
3. Persistence:
   • Add a cron job or systemd service for backdoor access.
4. Data Exfiltration:
   • Use curl or wget to exfiltrate data to an attacker-controlled server.

Detection & Forensics

• Log Analysis:
  • PostgreSQL Logs: Look for COPY FROM PROGRAM entries.
  • Hasura Logs: Check for unusual run_sql queries.
• Network Forensics:
  • PCAP Analysis: Detect outbound connections from the Hasura server.
  • DNS Exfiltration: Monitor for unusual DNS queries (e.g., attacker.com).
• Endpoint Detection:
  • Process Monitoring: Detect unexpected child processes (e.g., sh, bash, nc).
  • File Integrity: Check for unauthorized file modifications.

Hardening Recommendations

Layer	Mitigation
Network	- Restrict Hasura to internal networks. - Deploy WAF rules to block COPY FROM PROGRAM.
Application	- Disable run_sql endpoint. - Implement GraphQL query depth limiting.
Database	- Disable COPY FROM PROGRAM in PostgreSQL. - Run PostgreSQL as a non-root user.
Host	- Enable SELinux/AppArmor to restrict process execution. - Use immutable infrastructure (e.g., read-only containers).

Alternative Exploitation Methods

• GraphQL Introspection Abuse: If introspection is enabled, attackers can enumerate schema to craft precise payloads.
• Metadata API Abuse: If metadata API is exposed, attackers may modify Hasura configurations to enable run_sql.

---

Conclusion

EUVD-2026-3661 (CVE-2021-47748) represents a critical RCE vulnerability in Hasura GraphQL Engine, with severe implications for European organizations due to GDPR, NIS2, and DORA compliance risks. Immediate patching, network segmentation, and monitoring are essential to mitigate exploitation. Security teams should assume active scanning by threat actors and prioritize remediation to prevent data breaches, ransomware, or espionage.

For further details, refer to:

• NVD Entry (CVE-2021-47748)
• VulnCheck Advisory
• Exploit-DB PoC