Description
Your web application allows the execution of GraphQL mutations without proper authentication.
In GraphQL, mutations are operations that can cause data writes or changes on the server. Technically, any query in GraphQL can be made to modify data, but the best practice and convention are that any operations causing writes should be done via mutations.
Unauthenticated mutations can lead to unauthorized changes in your application data, which can have detrimental consequences ranging from data corruption to unauthorized access to sensitive data. It's recommended to authenticate all GraphQL mutations to ensure only authorized users can make changes.
Remediation
It's recommended to authenticate all GraphQL mutations: ensure that all GraphQL mutations require proper authentication before execution. Implement strong authentication mechanisms and periodically review the access controls to mutations. It's also recommended to use role-based access control (RBAC) to grant permissions only to specific mutations based on the user's role.