CVE-2026-1170
Unknown Unknown - Not Provided
Information Disclosure in Birkir Prime GraphQL API via Remote Manipulation

Publication date: 2026-01-19

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1170
EUVD
EUVD-2026-3203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
birkir prime to 0.4.0.beta.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1170 is an information disclosure vulnerability in birkir prime up to version 0.4.0.beta.0, specifically affecting the GraphQL API endpoint /graphql. The vulnerability occurs because the GraphQL feature enables Introspection Queries by default, allowing an attacker to remotely perform Introspection Query attacks. These attacks reveal detailed information about the GraphQL API's schema, including types and fields, exposing sensitive internal API structure and metadata without requiring authentication. [1, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information about the internal structure and capabilities of the GraphQL API. Attackers can use this information to better understand the system and craft further targeted attacks, potentially compromising confidentiality. Since the attack can be performed remotely without authentication and a public exploit exists, the risk of exploitation is significant. There are no known countermeasures currently, and the affected product has not responded to the issue. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by sending GraphQL Introspection Queries to the /graphql endpoint of the birkir prime system. For example, you can use a curl command to send a POST request with an Introspection Query to check if the GraphQL API allows schema introspection, which indicates the vulnerability. A sample command is: curl -X POST -H "Content-Type: application/json" --data '{"query":"{ __schema { types { name } } }"}' http://<target-host>/graphql If the response returns detailed schema information, the system is vulnerable to this information disclosure issue. [1, 3]

Mitigation Strategies

Currently, no official patches or countermeasures have been provided by the birkir prime project. Immediate mitigation steps include disabling GraphQL Introspection Queries if possible, restricting access to the /graphql endpoint to trusted users or networks, or replacing the affected product with an alternative that does not expose this vulnerability. Monitoring and blocking suspicious requests targeting the /graphql endpoint can also help reduce risk until a fix is available. [2]

Compliance Impact

The vulnerability leads to unauthorized disclosure of sensitive internal API information, which can compromise confidentiality. Such information disclosure could potentially violate data protection requirements under standards like GDPR and HIPAA, which mandate safeguarding sensitive data and preventing unauthorized access. However, the provided resources do not explicitly discuss compliance impacts or regulatory consequences. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart