Context Bleeding: When GraphQL Requests Swap Identities in Envelop
Jan 21, 2026·6 min read·5 visits
Executive Summary (TL;DR)
The `@envelop/graphql-modules` plugin failed to properly isolate request contexts during asynchronous operations. By manually managing the `OperationController` lifecycle instead of using the framework's execution wrappers, the plugin introduced a race condition. If two requests occurred simultaneously, the second request could overwrite the context of the first, leading to severe data leakage and potential account takeovers.
A critical race condition in the @envelop/graphql-modules plugin allowed execution contexts to bleed across concurrent requests. This flaw meant that under load, one user's authentication token or session data could potentially be accessed by another user's operation.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@envelop/graphql-modules The Guild | < [Patched Version] | Latest |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Race Condition / Context Bleeding |
| Severity | High (Data Leakage / Auth Bypass) |
| Affected Component | @envelop/graphql-modules |
| Attack Vector | Network (Concurrent Requests) |
| CVSS Estimate | 8.7 (High) |
| Fix Commit | ab49fa25... |
MITRE ATT&CK Mapping
The product contains a race condition in a concurrent environment, allowing unauthorized access to data or resources.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.