CVE-2026-23735 in graphql-modules
Summary
by MITRE • 01/16/2026
GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/16/2026
This vulnerability affects GraphQL Modules, a toolset designed to create reusable and maintainable GraphQL server modules. The issue manifests in versions between 2.2.1 and 2.4.1, as well as 3.1.1 and prior releases, where concurrent request processing creates a critical context mixing problem. When multiple parallel requests trigger the same service, the execution context becomes corrupted, leading to unauthorized access and data leakage scenarios.
The technical flaw stems from improper handling of shared state within the GraphQL execution environment. The @ExecutionContext decorator is specifically designed to pass authentication tokens and other request-specific data from incoming requests to backend services. However, when multiple requests are processed simultaneously, the context injection mechanism fails to maintain proper isolation between concurrent operations, causing authentication tokens and other contextual data from one request to be incorrectly associated with another request's execution. This represents a classic race condition vulnerability that violates fundamental security principles of request isolation and data integrity.
The operational impact of this vulnerability is severe as it directly compromises the authentication and authorization mechanisms of GraphQL applications. Attackers can exploit this weakness by crafting concurrent requests that target the same service endpoint, potentially enabling them to access data belonging to other users or perform unauthorized operations. The vulnerability is particularly dangerous in multi-tenant environments or applications handling sensitive user data, as it could allow cross-user data leakage and privilege escalation attacks. This flaw directly maps to CWE-362, which describes race conditions in concurrent programming, and aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing via email.
The fix implemented in versions 2.4.1 and 3.1.1 addresses the core concurrency issue by ensuring proper request context isolation during parallel execution. This remediation typically involves implementing thread-local storage or similar mechanisms to maintain separate execution contexts for each concurrent request, preventing the mixing of authentication tokens and other contextual data. Organizations should immediately upgrade to the patched versions to eliminate this security risk. Additionally, implementing proper monitoring and logging of concurrent request patterns can help detect potential exploitation attempts, while regular security assessments should verify that no other similar concurrency issues exist in the GraphQL server architecture. The vulnerability highlights the critical importance of proper state management in concurrent web applications and serves as a reminder of the security implications of shared mutable state in distributed systems.