Tools: CVE-2026-23735: Singleton Roulette: Racing for Context in GraphQL Modules

Singleton Roulette: Racing for Context in GraphQL Modules ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: b476c22 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-23735 CVSS Score: 8.7 Published: 2026-01-16 A critical race condition in the popular graphql-modules library allows request contexts to cross-pollinate when using the @ExecutionContext decorator within Singleton-scoped services. This effectively allows User A to unintentionally inherit the session, authentication tokens, or data of User B if their requests are processed concurrently. Using @ExecutionContext() inside a Singleton service in graphql-modules creates a shared mutable state. In a concurrent environment (like any real-world API), this leads to a classic race condition where parallel requests overwrite each other's context data. The result is severe identity confusion and data leakage. The fix involves upgrading to version 2.4.1 or 3.1.1, or avoiding context injection in singletons. Fix ExecutionContext race condition in Singletons Read the full report for CVE-2026-23735 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: No diff available Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: No diff available CODE_BLOCK: No diff available - CWE: CWE-362 (Race Condition) - CVSS v4.0: 8.7 (High) - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - GraphQL Modules (npm package: graphql-modules) - graphql-modules: >= 2.2.1 < 2.4.1 (Fixed in: 2.4.1) - graphql-modules: >= 3.0.0 < 3.1.1 (Fixed in: 3.1.1) - GitHub Advisory: Official PoC demonstrating the race condition with async resolvers. - Upgrade graphql-modules to patched versions. - Refactor Singleton services to use Scope.Operation or Scope.Request. - Remove @ExecutionContext() usage in Singletons and pass context as method arguments. - Identify all services using @Injectable({ scope: Scope.Singleton }). - Check if these services use the @ExecutionContext() decorator. - Run npm install graphql-modules@latest or specifically target 2.4.1/3.1.1. - Verify the fix by running the parallel request PoC. - Original Issue Report - GraphQL Modules Documentation