GraphQL Modules CVE-2026-23735
Lifecycle Timeline
3DescriptionCVE.org
GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.
AnalysisAI
testable and extendable modules out of your GraphQL server. From 2.2.1 to versions up to 2.4.1 is affected by race condition.
Technical ContextAI
This vulnerability (CWE-362: Race Condition) exists in the the component. GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from back
Affected ProductsAI
Product: testable and extendable modules out of your GraphQL server. From 2.2.1 to. Versions: up to 2.4.1. Component: the.
RemediationAI
Fixed in version 2.4.1.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-53wg-r69p-v3r7