This provides clients with hints or suggestions for field names when an incorrect or invalid field is queried. While this feature enhances usability for developers during debugging, it can unintentionally expose information about the API's schema to malicious actors, increasing the risk of reconnaissance and targeted attacks.
An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.
