CVE-2026-10802— keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| keystonejs | keystone | 20260319 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10802
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keystone 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keystone是OpenStack开源的一款强大的CMS。用于帮助您比任何其他 Cms 或应用程序框架更快地构建和扩展。 Keystone 20260319及之前版本存在安全漏洞,该漏洞源于GraphQL API Endpoint组件中packages/core/src/lib/core/queries/output-field.ts库的未知代码存在资源消耗问题,可能导致远程攻击者利用该漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| keystonejs | keystone | 20260319 | cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-10802
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10802
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-10802 (1)
News Coverage for CVE-2026-10802 (1)
Vendor Pages for CVE-2026-10802 (1)
Other References for CVE-2026-10802 (1)
IV. Related Vulnerabilities
Same vendor: keystonejs
- CVE-2026-33326
@keystone-6/core: `isFilterable` bypass via `cursor` paramet - CVE-2025-46720
Keystone has an unintended `isFilterable` bypass that can be - CVE-2023-40027
Conditionally missing authorization in @keystone-6/core - CVE-2023-34247
@keystone-6/auth Open Redirect vulnerability - CVE-2022-39382
NODE_ENV in Keystone defaults to development with esbuild
Same weakness: CWE-400
- CVE-2026-45357
LiquidJS: Memory and render limit bypass via unbounded width - CVE-2026-44645
LiquidJS has a renderLimit DoS guard bypass via empty `{% fo - CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset - CVE-2026-48990
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry p - CVE-2026-48988
markdown-it: Quadratic complexity DoS in smartquotes rule vi
V. Comments for CVE-2026-10802
No comments yet