CVE-2026-23735 HIGH

CVE-2026-23735: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in graphql-modules

Vendor Graphql-Hive
Product graphql-modules
Weakness CWE-362
Published January 16, 2026
Last update January 16, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.

Key dates

02Disclosure timeline

January 16, 2026 CVE published
January 16, 2026 Record updated