Description
GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.
Published: 2026-01-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Improper request context handling leading to potential authentication or data leakage
Action: Immediate Patch
AI Analysis

Impact

GraphQL Modules 2.x and 3.x exhibit a race condition when multiple parallel requests trigger the same service with @ExecutionContext injection. The context information, typically containing authentication tokens or per‑request data, can become mixed between requests, allowing one request to access another’s sensitive data or privileges. This flaw is a classic CWE‑362 (Race Condition) that can result in unauthorized access or data leakage.

Affected Systems

The vulnerability affects graphql-hive:graphql-modules versions 2.2.1 through 2.4.0 and any release prior to 3.1.1. Versions 2.4.1 and 3.1.1 onward contain the fixed implementation.

Risk and Exploitability

The CVSS score of 8.7 classifies this as high impact. The EPSS score of less than 1% indicates a low exploitation probability at present, and the CVE is not listed in CISA’s KEV catalog. Attackers would need to send concurrent GraphQL requests to a server that imports graphql-modules and uses @ExecutionContext to propagate authentication; no local privilege escalation is required.

Generated by OpenCVE AI on April 18, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GraphQL Modules to at least 2.4.1 or 3.1.1, whichever is compatible with your application
  • Update the deployed dependency configuration so the new version is used in production
  • If an upgrade cannot occur immediately, limit concurrent requests to the affected service or temporarily avoid using @ExecutionContext for authentication contexts until the library is patched

Generated by OpenCVE AI on April 18, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-53wg-r69p-v3r7 GraphQL Modules has a Race Condition issue
History

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Graphql-hive
Graphql-hive graphql-modules
Vendors & Products Graphql-hive
Graphql-hive graphql-modules

Fri, 16 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.
Title Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in graphql-modules
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Graphql-hive Graphql-modules
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T20:28:19.571Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23735

cve-icon Vulnrichment

Updated: 2026-01-16T20:28:11.535Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T20:15:51.473

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses