A critical race condition, identified as CVE-2026-23735, has been discovered in the popular graphql-modules library. This vulnerability allows request contexts to overlap when using the @ExecutionContext decorator within Singleton-scoped services. Consequently, User A can inadvertently inherit session data, authentication tokens, or personal information from User B if requests are processed simultaneously, posing a significant security risk.

This issue stems from a shared mutable state created by the @ExecutionContext decorator in Singleton services. In real-world, concurrent environments, this setup leads to a classic race condition where parallel requests interfere with each other's context data, causing identity confusion and data leakage. The solution involves upgrading to the patched versions 2.4.1 or 3.1.1, or refactoring Singleton services to avoid context injection.

The vulnerability has a CVSS score of 8.7, indicating a high severity. Affected systems include graphql-modules versions greater than or equal to 2.2.1 but less than 2.4.1, as well as versions 3.0.0 to 3.1.1. Developers are advised to identify and audit services using the @Injectable decorator with Scope.Singleton, and upgrade to the latest patched versions to mitigate the risk.

Expert analysis suggests that this vulnerability underscores the importance of careful context management in Singleton services, especially in concurrent environments. As the adoption of GraphQL continues to grow, such security concerns highlight the need for rigorous testing and timely updates to maintain the security and integrity of applications.