GraphQL abuse: Bypass account level permissions through parameter smuggling
the ability to bypass the account level permissions set within the application and call queries through GraphQL that are normally only allowed to be called by administrators. I call this "smuggling" queries but there is probably a much more technical explanation
Source: labs.detectify.com