https://feed.craftedsignal.io/tags/graphql/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 21 Apr 2026 13:16:20 +0000https://feed.craftedsignal.io/briefs/2026-04-freepbx-command-injection/Tue, 21 Apr 2026 13:16:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freepbx-command-injection/FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function, allowing authenticated users to execute arbitrary commands via crafted GraphQL mutations.FreePBX, a widely used open-source PBX (Private Branch Exchange) system, is vulnerable to a command injection flaw within its API module. Specifically, versions 17.0.8 and earlier are affected by CVE-2026-40520. The vulnerability resides in the initiateGqlAPIProcess() function, where GraphQL mutation input fields are directly passed to the shell_exec() function without proper sanitization or escaping. This allows an authenticated attacker with a valid bearer token to inject and execute arbitrary commands on the underlying host operating system as the web server user. The attack vector involves sending a specially crafted GraphQL moduleOperations mutation containing backtick-wrapped commands within the module field. Successful exploitation grants the attacker the ability to compromise the FreePBX server and potentially pivot to other internal systems.

Attack Chain

1. The attacker authenticates to the FreePBX API using a valid bearer token.
2. The attacker crafts a GraphQL moduleOperations mutation request.
3. Within the module field of the mutation, the attacker injects a command using backticks (e.g., \id` `).
4. The attacker sends the malicious GraphQL request to the /api endpoint.
5. The initiateGqlAPIProcess() function processes the request without proper sanitization.
6. The injected command is passed to the shell_exec() function within Api.class.php.
7. The shell_exec() function executes the injected command on the FreePBX server as the web server user (e.g., www-data, apache).
8. The attacker gains arbitrary command execution on the server.

Impact

Successful exploitation of this command injection vulnerability (CVE-2026-40520) allows an attacker to execute arbitrary commands on the FreePBX server with the privileges of the web server user. This can lead to complete compromise of the PBX system, allowing the attacker to eavesdrop on calls, modify call routing, steal sensitive data, install malware, and potentially pivot to other systems on the network. Given the critical role of PBX systems in business communications, a successful attack can disrupt operations, damage reputation, and result in significant financial losses.

Recommendation

• Upgrade the FreePBX API module to a version greater than 17.0.8 to patch CVE-2026-40520.
• Deploy the Sigma rule Detect FreePBX GraphQL Command Injection to identify exploitation attempts by detecting backticks in GraphQL mutation requests.
• Monitor web server logs for POST requests to the /api endpoint containing GraphQL mutations with backtick-wrapped commands to detect command injection attempts.
• Implement input validation and sanitization measures for all GraphQL input fields to prevent command injection vulnerabilities.

]]>highadvisorycommand-injectionfreepbxgraphqlcve-2026-40520https://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/Thu, 09 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.Saleor, an e-commerce platform, is susceptible to a resource exhaustion vulnerability affecting versions 2.0.0 prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability stems from the platform’s support for query batching, where multiple GraphQL operations can be submitted in a single HTTP request as a JSON array. The absence of an upper limit on the number of operations within a single request allows unauthenticated attackers to bypass per-query complexity limits. By sending a single HTTP request containing a massive number of GraphQL operations, an attacker can exhaust server resources, potentially leading to denial of service. The vulnerability is addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Defenders must ensure they are running patched versions.

Attack Chain

1. The attacker identifies a Saleor instance running a vulnerable version (prior to 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118).
2. The attacker crafts a malicious HTTP POST request targeting the GraphQL endpoint (typically /graphql/).
3. The request body contains a JSON array representing a batch of GraphQL queries.
4. The number of GraphQL operations within the array is excessively large, designed to bypass query complexity limits.
5. The Saleor server processes the HTTP request, attempting to execute all GraphQL operations within the batch.
6. Due to the large number of operations, the server’s resources (CPU, memory) become heavily utilized.
7. The server becomes slow or unresponsive to legitimate user requests, causing a denial-of-service condition.
8. The attacker repeats the process to maintain the denial-of-service state, impacting legitimate users.

Impact

Successful exploitation of this vulnerability results in resource exhaustion on the Saleor e-commerce platform. This can lead to slow response times, application instability, and ultimately a denial-of-service condition for legitimate users. This vulnerability poses a significant risk to e-commerce businesses relying on Saleor, potentially impacting sales, customer satisfaction, and overall business operations. The number of potential victims is directly proportional to the number of Saleor installations running vulnerable versions.

Recommendation

• Upgrade Saleor instances to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 or later to patch CVE-2026-33756.
• Deploy the Sigma rule Detect High Volume of GraphQL Queries to identify potential exploitation attempts by monitoring the number of GraphQL queries within a single HTTP request in web server logs.
• Monitor web server logs for abnormally large HTTP POST requests to the /graphql/ endpoint.
• Implement rate limiting on the GraphQL endpoint to restrict the number of requests from a single IP address within a defined timeframe.

]]>mediumadvisoryresource-exhaustiongraphqlcve-2026-33756doshttps://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/Wed, 08 Apr 2026 19:25:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.CVE-2026-35401 details a resource exhaustion vulnerability affecting the Saleor e-commerce platform. Present in versions 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the flaw allows an unauthenticated, remote attacker to exhaust server resources. This is achieved by sending a single API call containing numerous GraphQL mutations or queries, leveraging aliases or chaining techniques. The excessive processing load induced by these malicious requests can lead to a denial-of-service (DoS) condition. Organizations using vulnerable Saleor versions are at risk of service disruption, potentially impacting business operations and revenue. Mitigation involves upgrading to the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.

Attack Chain

1. The attacker identifies a Saleor e-commerce platform running a vulnerable version (2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118).
2. The attacker crafts a malicious GraphQL query or mutation containing numerous aliased or chained operations. This is done to maximize server-side processing load.
3. The attacker sends the crafted GraphQL request to the Saleor platform’s API endpoint, typically /graphql/.
4. The Saleor server attempts to process all the queries/mutations within the single request.
5. The server resources (CPU, memory, database connections) are rapidly consumed by the excessive processing demand.
6. The server becomes slow and unresponsive, potentially timing out for legitimate user requests.
7. The Saleor e-commerce platform experiences a denial-of-service condition, disrupting service for legitimate customers.
8. The attacker may repeat this process to maintain the denial-of-service state, further impacting business operations.

Impact

Successful exploitation of CVE-2026-35401 leads to resource exhaustion on the Saleor e-commerce platform, resulting in a denial-of-service condition. This disruption can impact online sales, customer experience, and brand reputation. The number of affected systems depends on the prevalence of vulnerable Saleor installations. While the exact number of victims is unknown, any e-commerce business using an unpatched version is susceptible to service outages. Prolonged or repeated attacks can lead to significant financial losses and damage to business operations.

Recommendation

• Immediately upgrade Saleor e-commerce platforms to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to patch CVE-2026-35401.
• Implement rate limiting on the /graphql/ API endpoint to mitigate the impact of excessive requests.
• Deploy the Sigma rule Detect Suspicious GraphQL Volume to identify potential exploitation attempts based on request patterns.

]]>mediumadvisorycve-2026-35401graphqlresource-exhaustiondenial-of-servicesaleorhttps://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/Mon, 30 Mar 2026 17:11:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.A path traversal vulnerability has been identified in versions 2.2.1 and earlier of @tinacms/graphql, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the relativePath parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like package.json and tsconfig.json, inject malicious scripts into the public/ directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of @tinacms/graphql.

Attack Chain

1. An attacker identifies a TinaCMS instance running a vulnerable version of @tinacms/graphql (<= 2.2.1).
2. The attacker crafts a malicious GraphQL mutation request targeting the updateDocument mutation.
3. Within the mutation, the attacker manipulates the relativePath parameter to include a path traversal sequence, such as x\\\\..\\\\..\\\\..\\\\package.json. The backslashes are misinterpreted on non-Windows systems.
4. The vulnerable getValidatedPath function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.
5. The request is processed, and the server attempts to write to the attacker-specified file path.
6. The file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.
7. The attacker overwrites a critical file, such as package.json, with malicious content.
8. The server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running @tinacms/graphql version 2.2.1 or earlier are susceptible.

Recommendation

• Upgrade @tinacms/graphql to a patched version (later than 2.2.1) to remediate CVE-2026-33949.
• Deploy the Sigma rule Detect TinaCMS GraphQL Path Traversal Attempt to identify attempted exploitation of the vulnerability.
• Monitor web server logs for POST requests to the /graphql endpoint containing suspicious relativePath parameters.
• Implement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.

]]>highadvisorypath-traversalgraphqltinacmsarbitrary-file-writehttps://feed.craftedsignal.io/briefs/2026-03-gitlab-graphql-dos/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-gitlab-graphql-dos/CVE-2026-3988 is a denial of service vulnerability in GitLab CE/EE allowing unauthenticated users to crash instances by sending malformed GraphQL requests, affecting versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1.<p>CVE-2026-3988 is a denial-of-service (DoS) vulnerability affecting GitLab CE/EE. The vulnerability resides in the processing of GraphQL requests and stems from improper input validation. An unauthenticated attacker can exploit this flaw by sending specially crafted GraphQL requests, causing the GitLab instance to become unresponsive, effectively denying service to legitimate users. The affected versions include all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1…</p> mediumadvisorydenial-of-servicegraphqlgitlabcve-2026-3988https://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.<p>GitLab has addressed a critical security flaw, identified as CVE-2026-3857, within its Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts GitLab instances running versions 17.10 up to, but not including, 18.8.7, versions 18.9 up to 18.9.3, and versions 18.10 up to 18.10.1. The core issue lies in insufficient Cross-Site Request Forgery (CSRF) protection when handling GraphQL mutations. An unauthenticated attacker could exploit this by crafting malicious web pages…</p> highadvisorygitlabcsrfcve-2026-3857graphql