Skip to main content

KeystoneJS CVE-2026-10802

| EUVDEUVD-2026-34244 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-06-04 cna@vuldb.com GHSA-45jq-c8xm-jfw9
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 12:35 vuln.today
Analysis Generated
Jun 04, 2026 - 12:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on @keystone-6/core (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.5.3.

DescriptionCVE.org

A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Uncontrolled resource consumption in KeystoneJS's GraphQL API endpoint allows a remotely authenticated attacker with low-privilege credentials to degrade server availability by submitting deeply nested GraphQL queries that exhaust CPU or memory without bound. Versions up to snapshot 20260319 of the @keystone-6/core package are affected. A public proof-of-concept exists (CVSS E:P), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 - indicating limited real-world severity under most deployments.

Technical ContextAI

KeystoneJS is an open-source Node.js headless CMS framework that auto-generates a GraphQL API from a user-defined schema. The root cause (CWE-400: Uncontrolled Resource Consumption) is the absence of GraphQL query depth limiting in the Apollo Server integration within packages/core/src/lib/express.ts. Without a depth cap, a single query with arbitrarily deep field nesting forces the server to perform recursive resolution, potentially exhausting CPU and memory. The PR diff confirms the fix involves integrating the graphql-depth-limit library, injecting depthLimit(config.graphql.maxDepth ?? 20) as a GraphQL validation rule, and exposing a configurable maxDepth option (defaulting to 20) in the Keystone config type. The specific file flagged in the CVE description - packages/core/src/lib/core/queries/output-field.ts - is part of the query resolution pipeline that processes output fields, which is where unbounded depth manifests during execution.

RemediationAI

No vendor-released patch version has been confirmed at time of analysis - the fix exists as unmerged pull request #9831 (https://github.com/keystonejs/keystone/pull/9831), which was noted as awaiting acceptance. Operators should monitor the PR for merge and subsequent npm release of @keystone-6/core. As an immediate compensating control, manually install graphql-depth-limit and inject it as a custom Apollo validation rule in your Keystone configuration's graphql.apolloConfig.validationRules array - this replicates the fix without waiting for the upstream release. Additionally, restrict access to the GraphQL API endpoint to trusted authenticated users via network controls or middleware, and consider rate-limiting GraphQL POST requests at a reverse proxy to reduce the blast radius of repeated abuse. Note that proxy-level rate limiting will not prevent a single oversized query from triggering the issue; client-side validation or depth limiting at the application layer is the more effective control.

Share

CVE-2026-10802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy