Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.
Install the latest version:
- If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.
- Greg Knaddison of the Drupal Security Team