GraphQL – Moderately critical – Access bypass – SA-CONTRIB-2023-050

Drupal Security Advisory

Project: 
Date: 
2023-November-08
Vulnerability: 
Access bypass
Affected versions: 
<3.4.0 || >=4.0.0 <4.6.0
Description: 

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.

The module currently does not adequately verify whether a given user has the necessary permissions to access an entity’s label creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.

Solution: 

Install the latest version:

Reported By: 
Coordinated By: 

READ MORE