CVE-2026-23735: Singleton Roulette: Racing for Context in GraphQL Modules

Source: Dev.to

Overview

Vulnerability ID: CVE-2026-23735
CVSS Score: 8.7 (High)
Published: 2026-01-16

A critical race condition exists in the graphql-modules library. When the @ExecutionContext() decorator is used inside a Singleton‑scoped service, request contexts can cross‑pollinate. This allows one user’s request to unintentionally inherit the session, authentication tokens, or other data of another concurrent request.

Technical Details

• Root cause: @ExecutionContext() creates a shared mutable state in a Singleton service. In a concurrent environment, parallel requests overwrite each other’s context data, leading to identity confusion and data leakage.
• CWE: CWE‑362 (Race Condition)
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

Affected Packages

Fixes

• Upgrade to graphql-modules 2.4.1 or 3.1.1 (or later).
• Refactor Singleton services to use Scope.Operation or Scope.Request instead of Scope.Singleton.
• Remove @ExecutionContext() usage in Singleton services and pass the context explicitly as method arguments.

Remediation Steps

1. Identify all services declared with @Injectable({ scope: Scope.Singleton }).
2. Check whether these services use the @ExecutionContext() decorator.
3. Upgrade the package:

   npm install graphql-modules@latest
   # or target a specific version
   npm install graphql-modules@2.4.1   # for 2.x series
   npm install graphql-modules@3.1.1   # for 3.x series

4. Refactor any remaining Singleton services to a non‑Singleton scope or pass the context manually.
5. Verify the fix by running the parallel‑request proof‑of‑concept (PoC) provided in the advisory.

References

• GitHub Advisory: Official PoC demonstrating the race condition with async resolvers.
• Original Issue Report
• GraphQL Modules Documentation

For a full analysis, interactive diagrams, and additional details, refer to the complete CVE‑2026‑23735 report on the vendor’s website.