GraphQL Introspection Enabled

medium Web Application Scanning Plugin ID 112894


GraphQL Introspection Enabled


GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL introspection allows to query all information related to the supported schema and queries on a GraphQL server instance. By leveraging this misconfiguration, an attacker could retrieve sensitive information or conduct further attacks on the discovered endpoints.

The scanner detected that GraphQL introspection is enabled on one of several endpoints of the target application.


Restrict GraphQL introspection feature to authorized users only, or disable it.

See Also

Plugin Details

Severity: Medium

ID: 112894

Type: remote

Published: 7/12/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information


Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable


Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information