Insecure Direct Object Reference (IDOR) - Delete Campaigns

A researcher found a vulnearbility in a graphql api endpoint that lets a user delete a campaign by manipulating the campaign_id parameter. The campaign_id takes a base64 of the string - gid://hackerone/Campaign/244. On changing the number 244 to another valid campaign (which is guessable), the respective campaign is deleted.