Info LeakBugcrowdgraphqlintrospectionstagingschema-leakblockchainOPEN

GraphQL introspection enabled on staging environment accessible via production domain

A blockchain analytics platform has a staging API endpoint reachable from the production domain. The staging endpoint has full GraphQL introspection enabled, revealing the complete schema including mutations, types, and internal field names. The schema exposes internal entities and operations that are not documented in the public API. This is informational on its own but I want to use it as supporting evidence in a larger chain. Looking for someone who can help analyze the schema for sensitive mutations or access control bypasses that would elevate the severity.