The Relay Race to Nowhere: Bypassing Auth in API Platform's GraphQL Node Interface
Jan 13, 2026·5 min read·3 visits
Executive Summary (TL;DR)
API Platform's implementation of the GraphQL Relay `node` field failed to load resource-specific security metadata. By querying a sensitive resource via `node(id: "/iri")`, attackers could bypass `security` attributes (like `ROLE_ADMIN`) and read data they shouldn't see. The fix involves forcing a reverse lookup of the operation metadata based on the requested IRI.
A logic error in API Platform's GraphQL Relay implementation allows attackers to bypass security rules by querying resources via the global `node` interface, effectively ignoring configured access controls.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
api-platform/core api-platform | < 3.4.17 | 3.4.17 |
api-platform/core api-platform | >= 4.0.0, < 4.0.22 | 4.0.22 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-863 (Incorrect Authorization) |
| CVSS v3.1 | 7.5 (High) |
| Attack Vector | Network (GraphQL API) |
| Impact | Confidentiality Loss (Data Exfiltration) |
| Exploit Status | Trivial / PoC Available |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.