Skip to main content

Graphql Php CVE-2026-40476

MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-04-17 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 22:40 vuln.today
CVSS changed
Apr 17, 2026 - 22:22 NVD
6.9 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 22:15 vuln.today
CVE Published
Apr 17, 2026 - 21:42 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.

AnalysisAI

Denial of service in graphql-go versions 15.31.4 and below allows remote unauthenticated attackers to trigger excessive CPU consumption during GraphQL query validation by submitting queries with thousands of repeated identical fields, exploiting O(n²) complexity in the OverlappingFieldsCanBeMerged validation rule. The vulnerability bypasses existing QueryDepth and QueryComplexity mitigations. Vendor-released patch: version 15.31.5.

Technical ContextAI

graphql-go (webonyx/graphql-php) is a PHP implementation of the GraphQL specification, which defines a validation phase occurring before query execution. The OverlappingFieldsCanBeMerged rule (part of the GraphQL validation spec) ensures that fields with the same response name can be safely merged during execution. In affected versions, this rule performs pairwise comparisons of all fields sharing the same response name without optimization, resulting in O(n²) algorithm complexity. When an attacker sends a query with n repeated identical fields, the validator performs n×(n-1)/2 comparisons, consuming CPU linearly with the square of field count. This occurs during the validation phase, before any rate-limiting or execution-level protections can intervene. The root cause is classified under CWE-407 (Inefficient Algorithmic Complexity), indicating inadequate algorithmic efficiency in a security-relevant operation.

RemediationAI

Upgrade graphql-php to version 15.31.5 or later immediately. This release includes an optimized OverlappingFieldsCanBeMerged validation rule that eliminates the O(n²) complexity. For organizations unable to upgrade immediately, implement the following compensating controls: (1) Configure a maximum query complexity limit at the application level (e.g., using Apollo Server's costsEnabled or similar GraphQL middleware) set to a conservative value (e.g., complexity points per field); (2) Implement rate-limiting on the GraphQL endpoint per IP or authenticated user, capping requests to 10-50 per second; (3) Set a hard timeout on query validation (e.g., 2-5 seconds) that aborts validation and returns an error if validation time exceeds the threshold-note this reduces availability for legitimate deep-nesting queries; (4) Monitor CPU usage on GraphQL endpoints and alert on sustained spikes above baseline. Each control has trade-offs: complexity limits may reject legitimate queries, rate-limiting affects all users equally, and validation timeouts degrade service for complex but valid queries. Patching is the definitive fix and should be prioritized.

Share

CVE-2026-40476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy