The graph.meta.ai API leaks detailed internal path and file information when a malformed or invalid access token is supplied in a GET request.

The flaw allows any user to modify the verification waitlist for any business simply by knowing its Business ID.

Unauthorized ability to toggle messaging notifications for any Meta Horizon account, allowing attackers to manipulate victims’ settings remotely.

An internal review endpoint allowed access to private videos by ID, exposing CDN URLs for videos marked private

A Page member with only 'Insight' role could create Page questions (fun fact prompts) via GraphQL, bypassing required admin/editor privileges.

Authorization flaw allowed adding arbitrary creators to a brand's Paid Partnership on Instagram via GraphQL mutation.

Buyer-side GraphQL mutations allowed changing a Marketplace listing to 'Paid', deceiving sellers and disabling the 'Mark as paid' control.

Users from allowed/verified domains could join a Workplace without admin approval using invite link or activation flow.

Anyone with the preview link ID could delete/expire shared Ads Reporting previews using Graph API, impacting externally shared reports.

Unauthenticated POST to GraphQL could block appointment requests management for any Facebook Page.