GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.
The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.
This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article