Mutation over GET

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: Medium

The GraphQL endpoint permits mutations to be executed using the HTTP GET method.

Typically, mutations should be executed using the POST method, as GET requests are intended for fetching data without side effects. Allowing mutations over GET can lead to several security risks

Example Attack

An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.

Remediation

Ensure that the GraphQL API does not allow GET method mutations.

Need help?

Contact FireTail support

Previous (Findings - Action based findings): Modal jailbreak vulnerability
Next (Findings - Action based findings): No output scanning