Is this a security issue for WP GraphQL (wordpress)?

Question

Using postman I query:

query MyQuery {
  users {
    nodes {
        id
        email
    }
  }

With an authenticated request (and admin rights), I get:

{
    "data": {
        "users": {
            "nodes": [
                {
                    "id": "dXNlcjox",
                    "email": "..."
                },
                {
                    "id": "dXNlcjoz",
                    "email": ".........."
                },
                {
                    "id": "dXNlcjoy",
                    "email": "................."
                }
            ]
        }
    },
    "extensions": {
        "debug": []
    }
}

which returns all users and that's ok

BUT !!!

with a public request I get:

{
    "data": {
        "users": {
            "nodes": [
                {
                    "id": "dXNlcjox",
                    "email": null
                }
            ]
        }
    },
    "extensions": {
        "debug": []
    }
}

Why is the node with: "id": "dXNlcjox" exposed to a public request ?

Is this a security concern ?

Answer 1

Actually, this is ok.

Quoting from WP GraphQL page:

WPGraphQL follows WordPress access control rights, and only exposes data publicly that WordPress already exposes publicly. Users that have published posts are considered public entities in WordPress. Users that have not published posts are considered private and will not be included in public GraphQL requests, but will be included in GraphQL requests made by authenticated users with proper capabilities to see the users.

Fields, such as user email addresses, are also protected by WPGraphQL and only exposed to authenticated requests by users with proper capabilities to see the data.

This certain node: "id": "dXNlcjox" happens to be the admin which for wordpress, his existence is a public information (even if his email is not).