GraphQL
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. It gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools.
From a security perspective, GraphQL introduces a unique attack surface that differs significantly from traditional REST APIs. Introspection queries can expose the entire schema — every type, field, and relationship — giving attackers a detailed map of the application's data model. Deeply nested queries enable denial-of-service through resource exhaustion, while batch queries can bypass rate limiting designed for REST endpoints.
Common GraphQL security issues include broken authorization on field-level resolvers, information disclosure through verbose error messages, and injection vulnerabilities in custom directives or filters. Many applications disable introspection in production but forget to restrict it in staging environments, or expose schema details through autocomplete suggestions.
Testing GraphQL requires specialized tools and techniques. Unlike REST APIs where endpoints are enumerable, GraphQL consolidates everything behind a single endpoint, requiring schema-aware fuzzing and query manipulation.
This page collects security research, testing methodologies, and real-world vulnerabilities specific to GraphQL APIs — from introspection abuse to authorization bypasses and injection attacks.
From graphql.org
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 NEW 2026 | CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox | CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox |
| 2026-04-22 NEW 2026 | CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS | CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS |
| 2026-04-22 NEW 2026 | The 16-Hour Window: Catching a GraphQL Authorization Flaw | The 16-Hour Window: Catching a GraphQL Authorization Flaw |
| 2026-04-22 NEW 2026 | GraphQLer: Context-Aware GraphQL API Fuzzing Tool | GraphQLer: Context-Aware GraphQL API Fuzzing Tool |
| 2026-04-22 NEW 2026 | Exploiting GraphQL Query Depth | Exploiting GraphQL Query Depth |
| 2026-04-22 NEW 2026 | Exploiting Broken Authentication Control in GraphQL | Exploiting Broken Authentication Control in GraphQL |
| 2026-04-22 NEW 2026 | Didn't Notice Your Rate Limiting: GraphQL Batching Attack | Didn't Notice Your Rate Limiting: GraphQL Batching Attack |
| 2026-04-22 NEW 2026 | Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing | Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing |
| 2026-04-22 NEW 2026 | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform |
| 2026-04-22 NEW 2026 | Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) | Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) |
| 2026-04-19 NEW 2026 | PayloadsAllTheThings — GraphQL Injection | PayloadsAllTheThings — GraphQL Injection |
| 2026-04-19 NEW 2026 | Approaching GraphQL End Points — Bug Bounty Notes | Approaching GraphQL End Points — Bug Bounty Notes |
| 2026-04-19 NEW 2026 | DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure | DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure |
| 2026-04-19 NEW 2026 | GraphQL API Vulnerabilities Learning Path — PortSwigger | GraphQL API Vulnerabilities Learning Path — PortSwigger |
| 2026-04-19 NEW 2026 | GraphQL Introspection Security: Lessons from the Parse Server Vulnerability | GraphQL Introspection Security: Lessons from the Parse Server Vulnerability |
| 2026-04-17 NEW 2026 | Hasura GraphQL 1.3.3 Local File Read via SQL Injection | Hasura GraphQL 1.3.3 Local File Read via SQL Injection |
| 2026-04-17 NEW 2026 | Discovering GraphQL endpoints and SQLi vulnerabilities | Discovering GraphQL endpoints and SQLi vulnerabilities |
| 2026-04-17 NEW 2026 | HackerOne Report #435066: SQL injection in GraphQL endpoint | HackerOne Report #435066: SQL injection in GraphQL endpoint |
| 2026-04-17 NEW 2026 | Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido) | Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido) |
| 2026-04-17 NEW 2026 | GraphQL Security: 9 Best Practices to Protect Your API (Escape) | GraphQL Security: 9 Best Practices to Protect Your API (Escape) |
| 2026-04-17 NEW 2026 | Authorization in GraphQL (Apollo) | Authorization in GraphQL (Apollo) |
| 2026-04-17 NEW 2026 | 9 Ways To Secure your GraphQL API - Apollo Checklist | 9 Ways To Secure your GraphQL API - Apollo Checklist |
| 2026-04-17 NEW 2026 | Enforcing GraphQL security best practices with GraphOS | Enforcing GraphQL security best practices with GraphOS |
| 2026-04-17 NEW 2026 | Apollo Authentication and Authorization Docs | Apollo Authentication and Authorization Docs |
| 2026-04-17 NEW 2026 | Securing GraphQL API endpoints using rate limits and depth limits (LogRocket) | Securing GraphQL API endpoints using rate limits and depth limits (LogRocket) |
| 2026-04-17 NEW 2026 | Cyclic Queries and Depth Limiting (Escape) | Cyclic Queries and Depth Limiting (Escape) |
| 2026-04-17 NEW 2026 | IDOR Vulnerability In GraphQL Api On inmobi.com | IDOR Vulnerability In GraphQL Api On inmobi.com |
| 2026-04-17 NEW 2026 | Exploiting GraphQL: Complete Guide for Bug Bounty Hunters | Exploiting GraphQL: Complete Guide for Bug Bounty Hunters |
| 2026-04-17 NEW 2026 | Exploiting GraphQL for fun and bounties (BugBase) | Exploiting GraphQL for fun and bounties (BugBase) |
| 2026-04-17 NEW 2026 | GraphQL for Bug Bounty (Mudhalai Mr) | GraphQL for Bug Bounty (Mudhalai Mr) |
| 2026-04-17 NEW 2026 | GraphQL IDOR leads to information disclosure (Eshan Singh) | GraphQL IDOR leads to information disclosure (Eshan Singh) |
| 2026-04-17 NEW 2026 | Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf) | Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf) |
| 2026-04-17 NEW 2026 | Exploiting GraphQL for Penetration Testing (Raxis) | Exploiting GraphQL for Penetration Testing (Raxis) |
| 2026-04-17 NEW 2026 | OWASP WSTG: Testing GraphQL | OWASP WSTG: Testing GraphQL |
| 2026-04-17 NEW 2026 | Exploiting GraphQL Vulnerabilities: Misconfig to Data Leaks | Exploiting GraphQL Vulnerabilities: Misconfig to Data Leaks |
| 2026-04-16 NEW 2026 | BatchQL: GraphQL Security Auditing for Batch Attacks | BatchQL: GraphQL Security Auditing for Batch Attacks |
| 2026-04-16 NEW 2026 | InQL: Advanced GraphQL Security Testing Burp Extension | InQL: Advanced GraphQL Security Testing Burp Extension |
| 2026-04-16 NEW 2026 | Exploiting CSRF in GraphQL Applications | Exploiting CSRF in GraphQL Applications |
| 2026-04-16 NEW 2026 | GraphQL Vulnerabilities Cheat Sheet | GraphQL Vulnerabilities Cheat Sheet |
| 2026-04-16 NEW 2026 | Exploiting GraphQL (Assetnote Research) | Exploiting GraphQL (Assetnote Research) |
| 2026-04-16 NEW 2026 | GraphQL Discovery: Pentesting 101 Guide | GraphQL Discovery: Pentesting 101 Guide |
| 2026-04-16 NEW 2026 | GraphQL Pentesting: Beginner's Guide to Advanced | GraphQL Pentesting: Beginner's Guide to Advanced |
| 2026-04-16 NEW 2026 | The Complete GraphQL Security Guide: Fixing the 13 Most Common Vulnerabilities | The Complete GraphQL Security Guide: Fixing the 13 Most Common Vulnerabilities |
| 2026-04-16 NEW 2026 | Abusing GraphQL Introspection: A Gateway for Recon and Exploitation | Abusing GraphQL Introspection: A Gateway for Recon and Exploitation |
| 2026-04-16 NEW 2026 | Exploiting GraphQL: A Full-Spectrum Security Assessment | Exploiting GraphQL: A Full-Spectrum Security Assessment |
| 2026-04-10 2026 | Common Attacks on REST APIs and GraphQL APIs | Common Attacks on REST APIs and GraphQL APIs |
| 2026-04-10 2026 | GraphQL API Security: Common Vulnerabilities and Exploits | GraphQL API Security: Common Vulnerabilities and Exploits |
| 2026-04-10 2026 | GraphQL Security Testing: Introspection Abuse, Injection, and DoS | GraphQL Security Testing: Introspection Abuse, Injection, and DoS |
| 2026-04-10 2026 | Hacking (and Securing) GraphQL | Hacking (and Securing) GraphQL |
| 2026-04-10 2026 | GraphQL API Vulnerabilities - PortSwigger | GraphQL API Vulnerabilities - PortSwigger |
| 2026-04-10 2026 | GraphQL Attacks and Vulnerabilities | GraphQL Attacks and Vulnerabilities |
| 2026-04-10 2026 | How a GraphQL Bug Resulted in Authentication Bypass | How a GraphQL Bug Resulted in Authentication Bypass |
| 2026-04-10 2026 | Top GraphQL Security Vulnerabilities: Analyzing 1,500+ Endpoints | Top GraphQL Security Vulnerabilities: Analyzing 1,500+ Endpoints |
| 2026-04-10 2026 | GraphQL API Security Risks Every Developer Should Know | GraphQL API Security Risks Every Developer Should Know |
| 2026-04-10 2026 | GraphQL API Vulnerabilities and Common Attacks | GraphQL API Vulnerabilities and Common Attacks |
| 2026-04-10 2026 | Exploiting Broken Access Control on GraphQL | Exploiting Broken Access Control on GraphQL |
| 2026-04-10 2026 | GraphQL Security: 7 Common Vulnerabilities and Mitigations | GraphQL Security: 7 Common Vulnerabilities and Mitigations |
| 2026-04-10 2026 | GraphQL Security Flaws and Exploitation | GraphQL Security Flaws and Exploitation |
| 2026-04-06 2026 | Cybersecurity Deep Dive: The Complete Guide to Protecting Modern Applications | Cybersecurity Deep Dive: The Complete Guide to Protecting Modern Applications |
| 2026-04-06 2026 | How Does StackHawk Work? | How Does StackHawk Work? |
| 2026-04-06 2026 | GraphQL Security Vulnerabilities Guide - SecPortal | GraphQL Security Vulnerabilities Guide - SecPortal |
| 2026-04-06 2026 | Vespasian: It Sees What Static Analysis Can't - API Endpoint Discovery | Vespasian: It Sees What Static Analysis Can't - API Endpoint Discovery |
| 2026-04-06 2026 | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass |
| 2026-04-03 2026 | GraphQL Security Testing Guide (2026) | GraphQL Security Testing Guide (2026) |
| 2026-04-03 2026 | A Pentester's Guide to Server Side Template Injection (SSTI) | Cobalt | A Pentester's Guide to Server Side Template Injection (SSTI) | Cobalt |
| 2026-04-03 2026 | GraphQL Security Complete Guide | Payload Playground | GraphQL Security Complete Guide | Payload Playground |
| 2026-04-03 2026 | GraphQL Vulnerabilities and Common Attacks Seen in the Wild | Imperva | GraphQL Vulnerabilities and Common Attacks Seen in the Wild | Imperva |
| 2026-04-03 2026 | GraphQL API Vulnerabilities, Common Attacks & Security Tips | GraphQL API Vulnerabilities, Common Attacks & Security Tips |
| 2026-04-03 2026 | Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHack | Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHack |
| 2026-04-03 2026 | PayloadsAllTheThings - GraphQL Injection | PayloadsAllTheThings - GraphQL Injection |
| 2026-04-03 2026 | GraphQL | HackTricks | GraphQL | HackTricks |
| 2026-04-03 2026 | GraphQL Cheat Sheet | OWASP | GraphQL Cheat Sheet | OWASP |
| 2026-04-03 2026 | GraphQL Security from a Pentester's Perspective | AFINE | GraphQL Security from a Pentester's Perspective | AFINE |
| 2025-08-14 2025 | Mastering the Realm of GraphQL Exploitation | The content is titled "Mastering the Realm of GraphQL Exploitation" and appears to focus on the topic of exploiting GraphQL. It suggests a deep dive into understanding and potentially exploiting GraphQL, a query language for APIs. The title implies that the content may cover advanced techniques or strategies for manipulating GraphQL queries to gain unauthorized access or extract sensitive information. |
| 2025-08-14 2025 | GraphQL - Security Overview and Testing Tips · Doyensec's Blog | The content titled "GraphQL - Security Overview and Testing Tips" on Doyensec's Blog likely discusses security considerations related to GraphQL APIs and provides tips for testing the security of GraphQL implementations. It is expected to cover key aspects of securing GraphQL endpoints and offer guidance on how to effectively test the security measures in place. The article may delve into common security vulnerabilities in GraphQL systems and suggest best practices for ensuring the safety and integrity of data exchanged through GraphQL APIs. |
| 2025-08-14 2025 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for | The content appears to be about a security vulnerability related to Facebook's GraphQL technology, specifically concerning Cross-Site Request Forgery (CSRF) attacks. The title suggests that access tokens may be involved in this vulnerability. It seems to warn users or developers that the access tokens they are using may not be secure or may be compromised in some way. The phrase "These aren't the access_tokens you're looking for" implies that there may be deceptive or unauthorized access tokens being used in this context. |
| 2025-08-14 2025 | andev-software/graphql-ide: ⚡️ GraphQL IDE - An extensive IDE for exploring | The content is a brief description of a GraphQL IDE developed by andev-software. It is described as an extensive tool for exploring GraphQL. The tool is likely designed to assist users in interacting with GraphQL APIs, visualizing schemas, and executing queries. The use of emojis like ⚡️ suggests that the IDE may be fast and efficient. |
| 2025-08-14 2025 | https://github.com/gsmith257-cyber/GraphCrawler | The link provided leads to a GitHub repository named GraphCrawler created by a user named gsmith257-cyber. The content of the repository likely contains information, code, or files related to graph crawling. The specifics of the content are not provided in the summary request. |
| 2025-08-14 2025 | https://blog.assetnote.io/2021/08/29/exploiting-graphql/ | The content discusses the exploitation of GraphQL, a query language for APIs. It highlights security vulnerabilities in GraphQL implementations, focusing on unauthorized access to sensitive data, excessive data exposure, and denial of service attacks. The article provides insights into common attack vectors, such as introspection queries and nested queries, and offers recommendations to secure GraphQL APIs, including implementing proper authorization mechanisms, rate limiting, and input validation. It emphasizes the importance of thorough testing and monitoring to prevent potential security risks associated with GraphQL APIs. |
| 2025-08-14 2025 | Full Read SSRF on Gitlab's Internal Grafana | Program: GitLab Severity: critical Weakness: Server-Side Request Forgery (SSRF) Apparently, Grafana is bundled with Gitlab by default. So the grafana instance that is accessible via `/-/grafana/`is v... |
| 2025-08-14 2025 | GraphQL introspection leads to sensitive data disclosure. | GraphQL introspection can potentially lead to the disclosure of sensitive data. Introspection allows clients to query the schema and understand the structure of the API, which can inadvertently expose sensitive information. It is important for developers to carefully manage introspection capabilities to prevent unauthorized access to confidential data. |
| 2025-08-14 2025 | GraphQL Introspection leads to Sensitive Data Disclosure. | GraphQL Introspection can potentially lead to the disclosure of sensitive data. This feature allows clients to query the schema of a GraphQL API, potentially exposing information that should be kept private. It is essential for developers to be cautious when using GraphQL Introspection to prevent unintentional disclosure of sensitive data. |
| 2025-08-14 2025 | [TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUEST | The content mentions a potential security vulnerability on the Tokopedia website related to Cross-Site Request Forgery (CSRF) through GraphQL requests. This vulnerability could allow attackers to perform unauthorized actions on behalf of users. It highlights the importance of addressing and fixing such vulnerabilities to ensure the security of the website and protect user data. |
| 2025-08-14 2025 | swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a | The content is about a tool called GraphQLmap developed by swisskyrepo. It is described as a scripting engine designed for interacting with GraphQL. The tool likely provides functionalities to automate interactions with GraphQL APIs, making it easier for users to work with GraphQL endpoints efficiently. |
| 2025-08-14 2025 | br3akp0int/GQLParser: A repository for GraphQL Extension for Burp Suite | The content is about a repository called br3akp0int/GQLParser, which offers a GraphQL Extension for Burp Suite. This extension likely provides additional functionality for the Burp Suite tool related to handling GraphQL requests and responses. The repository may contain code, documentation, or resources for integrating GraphQL capabilities into the Burp Suite tool for security testing and analysis purposes. |
| 2025-08-14 2025 | doyensec/graph-ql: GraphQL Security Research Material | The content is a repository named doyensec/graph-ql that contains GraphQL security research material. The repository likely includes resources, tools, and findings related to security vulnerabilities and best practices in GraphQL implementations. It serves as a valuable source for individuals interested in understanding and improving the security aspects of GraphQL applications. |
| 2023-10-29 2023 | Oh snap! We don't support this version of your browser and neither should you! | Oh snap! We don't support this version of your browser, and neither should you! https://ift.tt/frv0g2S |
| 2023-10-05 2023 | Mastering the Realm of GraphQL Exploitation | The content titled "Mastering the Realm of GraphQL Exploitation" likely delves into advanced techniques for exploiting vulnerabilities in GraphQL implementations. It may cover topics such as security risks, common attack vectors, and strategies for securing GraphQL APIs. The content is likely aimed at individuals looking to deepen their understanding of GraphQL security and improve their ability to identify and mitigate potential exploits in GraphQL applications. |
| 2021-09-06 2021 | Exploiting GraphQL | Assetnote discovered security vulnerabilities in GraphQL implementations, highlighting the importance of securing applications that use this technology. The vulnerabilities could potentially lead to data exposure or unauthorized access. It emphasizes the need for developers to follow best practices in securing GraphQL APIs to prevent exploitation by malicious actors. By being aware of these vulnerabilities and taking appropriate security measures, developers can protect their applications and users from potential threats. |
| 2021-01-26 2021 | GraphQL 101 Challenge | The content is a practical introduction to GraphQL aimed at QA engineers. It covers the basics of GraphQL in a hands-on manner, making it accessible for those new to the technology. The challenge likely involves exercises or tasks to help participants understand and apply GraphQL concepts. It emphasizes the relevance of GraphQL for QA engineers, suggesting that the content may focus on how GraphQL can be used in testing scenarios. Overall, the challenge aims to provide a foundational understanding of GraphQL for QA engineers through interactive learning experiences. |
| 2020-02-25 2020 | doyensec/graph-ql: GraphQL Security Research Material | The content refers to a GitHub repository called doyensec/inql, which is an extension for the Burp Suite tool designed for testing the security of GraphQL APIs. The tool, named InQL, is specifically created for conducting security assessments on GraphQL endpoints. It aims to assist in identifying and addressing potential security vulnerabilities in GraphQL implementations. |
| 2020-01-19 2020 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for | A CSRF bug in business.instagram.com allowed unauthorized GraphQL calls. The bug was discovered in the View the Assigned Roles and Emails of an Instagram Account feature. Users without an Instagram Business account encountered an error page during login. This issue highlights a potential security vulnerability in Facebook's GraphQL system. |
| 2020-01-19 2020 | [TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUEST | The content mentions a vulnerability in the Tokopedia website related to Cross-Site Request Forgery (CSRF) through GraphQL requests. This vulnerability could potentially allow attackers to perform unauthorized actions on behalf of users on the Tokopedia site. It highlights the importance of addressing and fixing such security flaws to protect user data and prevent malicious activities. |
| 2020-01-13 2020 | GraphQL IDOR leads to information disclosure - Eshan Singh - Medium | Eshan Singh, also known as R0X4R, discusses a recent discovery of an Insecure Direct Object Reference (IDOR) vulnerability in GraphQL that led to information disclosure. The article likely delves into the impact and implications of this vulnerability in GraphQL systems. |
Frequently Asked Questions
- How is GraphQL security different from REST?
- GraphQL consolidates all operations behind a single endpoint, making traditional API enumeration ineffective. Unique risks include schema introspection exposure, deeply nested query denial-of-service, batch query abuse to bypass rate limiting, and field-level authorization gaps in resolvers.
- Should you disable GraphQL introspection in production?
- Yes, disabling introspection in production is a recommended security practice. It prevents attackers from mapping your entire schema, including types, fields, and relationships. However, schema details can still leak through error messages, autocomplete, and field suggestion features.
- What tools are used to test GraphQL security?
- Common tools include GraphQL Voyager for schema visualization, InQL for Burp Suite integration, graphql-cop for automated security testing, and Clairvoyance for schema reconstruction when introspection is disabled. Manual testing with crafted queries remains essential.
Weekly AppSec Digest
Get new resources delivered every Monday.