Is it possible to disable GraphQL API and graphql-explorer


I know that CVE-2020-26413 has been fixed and user email can no longer be queried now. But unauthenticated user still can get username list from graphql-exploer with query like:

  users {
    edges {
      node {

The CVE seem to not care about the username, but we do have been bothered by attackers who got the username list. The attacker try to brute force the password, and causing the account being locked by gitlab after lots of failed login attampts. Then the legitimate user cannot login its account. Of course account can be unlocked, but its really annoying.


We want to disable the graphql explorer and graphql api since nobody need this feather. But I didn’t find any information about how to disable it from gitlab doc. So is it possible?

And I’m courious about why unauthorized query for account list did not be regarded as a security problem. Since in REST API, “GET /users” query need authorize, I guess the user names are not designed to be public accessible information.