CVE-2026-23735
📋 TL;DR
This vulnerability in GraphQL Modules allows parallel requests to mix up execution contexts when using @ExecutionContext() injection, potentially exposing authentication tokens and sensitive data between different user sessions. It affects GraphQL servers using GraphQL Modules versions 2.2.1 to 2.4.0 and 3.0.0 to 3.1.0. Developers who use @ExecutionContext() to pass request context to services are impacted.
💻 Affected Systems
- GraphQL Modules
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authentication tokens and user session data from one request could be exposed to another user's request, leading to unauthorized data access, privilege escalation, or account takeover.
Likely Case
User data leakage between concurrent requests, potentially exposing sensitive information like authentication tokens, user IDs, or authorization headers to unintended recipients.
If Mitigated
Limited impact with proper request isolation and additional authentication checks, though some data mixing may still occur.
🎯 Exploit Status
Requires parallel requests to the same service endpoint. Exploitation depends on application architecture and concurrency patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.1 for v2.x, 3.1.1 for v3.x
Vendor Advisory: https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7
Restart Required: Yes
Instructions:
1. Update GraphQL Modules package: npm update @graphql-modules/core 2. Verify version matches 2.4.1+ (v2) or 3.1.1+ (v3) 3. Restart your GraphQL server 4. Test parallel request handling
🔧 Temporary Workarounds
Avoid @ExecutionContext() injection
allManually pass context through service methods instead of using decorator injection
Implement request queuing
allUse request queuing mechanisms to prevent parallel execution of the same service
🧯 If You Can't Patch
- Implement additional authentication checks in services to verify context ownership
- Add request correlation IDs and validate them throughout the request lifecycle
🔍 How to Verify
Check if Vulnerable:
Check package.json for @graphql-modules/core version between 2.2.1-2.4.0 or 3.0.0-3.1.0 and verify usage of @ExecutionContext() decoratorCheck Version:
npm list @graphql-modules/coreVerify Fix Applied:
Confirm @graphql-modules/core version is 2.4.1+ or 3.1.1+ and test parallel requests to services using @ExecutionContext()📡 Detection & Monitoring
Log Indicators:
- Unexpected context mixing in service logs
- Authentication failures from mismatched tokens
- Concurrent requests to same service endpoint
Network Indicators:
- Parallel GraphQL requests to same operation
- Increased error rates on context-dependent operations
SIEM Query:
source="graphql" AND ("ExecutionContext" OR "context mixing") AND status=error