GraphQL — Batched Query Authentication Bypass

GraphqlAPI rate-limits the login mutation to 5 requests per minute. But the rate limit applies per-request, not per-operation. Send batched queries (multiple mutations in one POST) to brute-force passwords past the limit.