GraphQL Field Suggestions Detected

medium Web Application Scanning Plugin ID 112895


GraphQL Field Suggestions Detected


GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received requests. By leveraging this capability, an attacker could conduct a bruteforce attack to discover the GraphQL schema and potential hidden or private endpoints, and could try accessing sensitive information or performing arbitrary actions on the target server.

The scanner detected that the remote GraphQL server has field suggestions enabled.


Disable the suggestion feature if possible in the GraphQL implementation used, or try to consider using one which allows this to be done.

See Also

Plugin Details

Severity: Medium

ID: 112895

Type: remote

Published: 7/19/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information


Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable


Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information