The GraphQL API has introspection enabled in production, allowing anyone to query the complete API schema including all types, fields, queries, mutations, and their relationships.
An attacker can map the entire API surface, discover hidden endpoints, identify sensitive data fields, and understand the data model to craft targeted attacks more efficiently.
Disable introspection in production environments. Implement field-level authorization. Use query depth limiting and complexity analysis. Monitor for introspection queries and excessive query patterns.