CVE-2026-23735

Name of the Vulnerable Software and Affected Versions GraphQL Modules versions 2.2.1 through 2.4.0 GraphQL Modules versions 3.1.1

Description GraphQL Modules has an issue where, when two or more parallel requests trigger the same service, the context of the requests can become mixed up within the service when the context is injected via @ExecutionContext(). The ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This can lead to unauthorized access or data breaches. An estimated number of potentially affected devices worldwide is not available. There are no reports of real-world incidents where this issue was exploited. The vulnerability occurs when using the @ExecutionContext() decorator. The context variable can be affected when multiple requests are processed concurrently.

Recommendations Update to GraphQL Modules version 2.4.1 or later. Update to GraphQL Modules version 3.1.1 or later.