GraphQL Introspection Exposes Internal API Schema

Severity: Medium | Status: Resolved

Summary

The GraphQL endpoint had introspection enabled, revealing all queries, mutations, and internal admin operations.

query {
  __schema {
    types { name fields { name } }
  }
}

Full API schema disclosure including hidden admin mutations.

This vulnerability was reported responsibly and fixed by the vendor before public disclosure.