CVE-2026-23735

GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/graphql-hive/graphql-modules/issues/2613
https://github.com/graphql-hive/graphql-modules/pull/2521
https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568
https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) GraphQL Modules es un conjunto de herramientas de bibliotecas y directrices dedicado a crear módulos reutilizables, mantenibles, testeables y extensibles a partir de tu servidor GraphQL. Desde la versión 2.2.1 hasta antes de la 2.4.1 y la 3.1.1, cuando se realizan 2 o más solicitudes paralelas que activan el mismo servicio, el contexto de las solicitudes se mezcla en el servicio cuando el contexto se inyecta a través de @ExecutionContext(). ExecutionContext se utiliza a menudo para pasar tokens de autenticación de solicitudes entrantes a servicios que cargan datos de APIs de backend. Esta vulnerabilidad se corrige en las versiones 2.4.1 y 3.1.1.

16 Jan 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-16 20:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-23735

Mitre link : CVE-2026-23735

CVE.ORG link : CVE-2026-23735

JSON object : View

Products Affected

No product.

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2026-23735", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-16T20:15:51.473", "references": [{"url": "https://github.com/graphql-hive/graphql-modules/issues/2613", "source": "security-advisories@github.com"}, {"url": "https://github.com/graphql-hive/graphql-modules/pull/2521", "source": "security-advisories@github.com"}, {"url": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568", "source": "security-advisories@github.com"}, {"url": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1."}, {"lang": "es", "value": "GraphQL Modules es un conjunto de herramientas de bibliotecas y directrices dedicado a crear m\u00f3dulos reutilizables, mantenibles, testeables y extensibles a partir de tu servidor GraphQL. Desde la versi\u00f3n 2.2.1 hasta antes de la 2.4.1 y la 3.1.1, cuando se realizan 2 o m\u00e1s solicitudes paralelas que activan el mismo servicio, el contexto de las solicitudes se mezcla en el servicio cuando el contexto se inyecta a trav\u00e9s de @ExecutionContext(). ExecutionContext se utiliza a menudo para pasar tokens de autenticaci\u00f3n de solicitudes entrantes a servicios que cargan datos de APIs de backend. Esta vulnerabilidad se corrige en las versiones 2.4.1 y 3.1.1."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}