DRUPAL-CONTRIB-2023-050

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/graphql/DRUPAL-CONTRIB-2023-050.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-050
Published
2023-11-08T15:30:45Z
Modified
2025-12-10T23:31:56.855834Z
Summary
[none]
Details

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.

The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/graphql

Package

Name
drupal/graphql
Purl
pkg:composer/drupal/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Database specific 
{
    "constraint": "<3.4.0"
}
Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.6.0
Database specific 
{
    "constraint": ">=4.0.0 <4.6.0"
}

Database specific

affected_versions 
"<3.4.0 || >=4.0.0 <4.6.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/graphql/DRUPAL-CONTRIB-2023-050.json"