CVE-2026-40476

MEDIUM
2026-04-17 GitHub_M
Information Disclosure Graphql Php
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 17, 2026 - 22:40 vuln.today
CVSS Changed
Apr 17, 2026 - 22:22 NVD
6.9 (MEDIUM)

DescriptionNVD

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.

AnalysisAI

Denial of service in graphql-go versions 15.31.4 and below allows remote unauthenticated attackers to trigger excessive CPU consumption during GraphQL query validation by submitting queries with thousands of repeated identical fields, exploiting O(n²) complexity in the OverlappingFieldsCanBeMerged validation rule. The vulnerability bypasses existing QueryDepth and QueryComplexity mitigations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40476 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy