{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.957Z", "datePublished": "2026-01-16T20:04:19.672Z", "dateUpdated": "2026-01-16T20:28:19.571Z"}, "containers": {"cna": {"title": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in graphql-modules", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7"}, {"name": "https://github.com/graphql-hive/graphql-modules/issues/2613", "tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-hive/graphql-modules/issues/2613"}, {"name": "https://github.com/graphql-hive/graphql-modules/pull/2521", "tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-hive/graphql-modules/pull/2521"}, {"name": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568", "tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568"}], "affected": [{"vendor": "graphql-hive", "product": "graphql-modules", "versions": [{"version": ">= 2.2.1, < 2.4.1", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:04:19.672Z"}, "descriptions": [{"lang": "en", "value": "GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1."}], "source": {"advisory": "GHSA-53wg-r69p-v3r7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T20:27:47.456616Z", "id": "CVE-2026-23735", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T20:28:19.571Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23735", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T20:27:47.456616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T20:28:11.535Z"}}], "cna": {"title": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in graphql-modules", "source": {"advisory": "GHSA-53wg-r69p-v3r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "graphql-hive", "product": "graphql-modules", "versions": [{"status": "affected", "version": ">= 2.2.1, < 2.4.1"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.1"}]}], "references": [{"url": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7", "name": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/graphql-hive/graphql-modules/issues/2613", "name": "https://github.com/graphql-hive/graphql-modules/issues/2613", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/graphql-hive/graphql-modules/pull/2521", "name": "https://github.com/graphql-hive/graphql-modules/pull/2521", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568", "name": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:04:19.672Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23735", "state": "PUBLISHED", "dateUpdated": "2026-01-16T20:28:19.571Z", "dateReserved": "2026-01-15T15:45:01.957Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T20:04:19.672Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1."}, {"lang": "es", "value": "GraphQL Modules es un conjunto de herramientas de bibliotecas y directrices dedicado a crear m\u00f3dulos reutilizables, mantenibles, testeables y extensibles a partir de tu servidor GraphQL. Desde la versi\u00f3n 2.2.1 hasta antes de la 2.4.1 y la 3.1.1, cuando se realizan 2 o m\u00e1s solicitudes paralelas que activan el mismo servicio, el contexto de las solicitudes se mezcla en el servicio cuando el contexto se inyecta a trav\u00e9s de @ExecutionContext(). ExecutionContext se utiliza a menudo para pasar tokens de autenticaci\u00f3n de solicitudes entrantes a servicios que cargan datos de APIs de backend. Esta vulnerabilidad se corrige en las versiones 2.4.1 y 3.1.1."}], "id": "CVE-2026-23735", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-16T20:15:51.473", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/graphql-hive/graphql-modules/issues/2613"}, {"source": "security-advisories@github.com", "url": "https://github.com/graphql-hive/graphql-modules/pull/2521"}, {"source": "security-advisories@github.com", "url": "https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568"}, {"source": "security-advisories@github.com", "url": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:39:03.360729+00:00", "value": {"mitigation_remediation": ["Upgrade GraphQL Modules to at least 2.4.1 or 3.1.1, whichever is compatible with your application", "Update the deployed dependency configuration so the new version is used in production", "If an upgrade cannot occur immediately, limit concurrent requests to the affected service or temporarily avoid using @ExecutionContext for authentication contexts until the library is patched"], "summary": {"action": "Immediate Patch", "impact": "Improper request context handling leading to potential authentication or data leakage"}, "threat_synthesis": {"affected_systems": "The vulnerability affects graphql-hive:graphql-modules versions 2.2.1 through 2.4.0 and any release prior to 3.1.1. Versions 2.4.1 and 3.1.1 onward contain the fixed implementation.", "description_and_impact": "GraphQL Modules 2.x and 3.x exhibit a race condition when multiple parallel requests trigger the same service with @ExecutionContext injection. The context information, typically containing authentication tokens or per\u2011request data, can become mixed between requests, allowing one request to access another\u2019s sensitive data or privileges. This flaw is a classic CWE\u2011362 (Race Condition) that can result in unauthorized access or data leakage.", "risk_and_exploitability": "The CVSS score of 8.7 classifies this as high impact. The EPSS score of less than 1% indicates a low exploitation probability at present, and the CVE is not listed in CISA\u2019s KEV catalog. Attackers would need to send concurrent GraphQL requests to a server that imports graphql-modules and uses @ExecutionContext to propagate authentication; no local privilege escalation is required."}}}}, "created": "2026-01-19T09:19:38.762913+00:00", "updated": "2026-04-18T05:45:38.172609+00:00", "vendors": ["graphql-hive", "graphql-hive$PRODUCT$graphql-modules"]}