CVE-2021-47748
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-02

Assigner: VulnCheck

Description
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47748
EUVD
EUVD-2026-3661
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hasura graphql_engine 1.3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47748 is a critical remote code execution vulnerability in Hasura GraphQL Engine version 1.3.3. It allows attackers to execute arbitrary shell commands on the server by manipulating SQL queries sent to the run_sql endpoint. Specifically, attackers exploit PostgreSQL's COPY FROM PROGRAM feature by crafting malicious GraphQL queries that inject system commands. This happens due to improper input handling, enabling remote attackers to run code without authentication. [1, 2]

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on the affected system. An attacker can execute arbitrary shell commands remotely without any authentication, potentially leading to unauthorized access, data theft, system compromise, disruption of services, and complete loss of confidentiality, integrity, and availability of the system. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to send specially crafted GraphQL queries to the Hasura GraphQL engine's run_sql or v1/query endpoints that exploit the SQL injection via the COPY FROM PROGRAM feature. One practical method is to use the provided Python exploit script from Resource 2, which sends JSON payloads containing SQL commands to execute shell commands remotely. Monitoring network traffic for unusual GraphQL bulk queries or unexpected SQL commands targeting the run_sql endpoint may also help detect exploitation attempts. Specific commands include sending a bulk GraphQL query with SQL commands that create a table and execute shell commands via COPY FROM PROGRAM, as demonstrated in the Python script in Resource 2. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Hasura GraphQL Engine from version 1.3.3 to a patched version that addresses this remote code execution vulnerability. If an upgrade is not immediately possible, restrict access to the Hasura GraphQL endpoints, especially run_sql and v1/query, by implementing network-level controls such as firewalls or IP whitelisting. Additionally, monitor and block suspicious GraphQL queries that attempt to use the COPY FROM PROGRAM functionality or execute arbitrary SQL commands. Disabling or restricting the use of the run_sql endpoint can also reduce the attack surface. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart