Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one. There is the ApiPlatformGraphQlSerializerItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164 and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue. Impact It grants access to properties that it should not. Workarounds Override the ItemNormalizer. Patched at:…Read More