Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-23735

Good to know:

icon
icon

Date: January 16, 2026

GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.

Severity Score

Related Resources (7)

https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568
https://nvd.nist.gov/vuln/detail/CVE-2026-23735
https://github.com/graphql-hive/graphql-modules/pull/2521
https://github.com/graphql-hive/graphql-modules/issues/2613
https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7
https://github.com/graphql-hive/graphql-modules
https://www.mend.io/vulnerability-database/CVE-2026-23735

Severity Score

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Top Fix

icon

Upgrade Version

Upgrade to version graphql-modules - 2.4.1;graphql-modules - 3.1.1;https://github.com/graphql-hive/graphql-modules.git - graphql-modules@3.1.1;https://github.com/graphql-hive/graphql-modules.git - graphql-modules@2.4.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us