/api/graphql leaves introspection (__schema) enabled and exposes a user(id) resolver with no authorization, so a single query maps the schema and dumps any user's apiKey / ssn.
Trigger: { __schema { types { name } } } (introspection) and user(id: 3){ apiKey ssn } (IDOR).
Detected by: browser_cdp_graphql_scan