Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder gqls module which provides a graphql interface.

The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.