CVE-2026-40476— graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40476
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation
Source: NVD (National Vulnerability Database)
Vulnerability Description
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
算法复杂性
Source: NVD (National Vulnerability Database)
Vulnerability Title
graphql-go 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
graphql-go是Webonyx开源的一款专注于易用性的 GraphQL 服务器。 graphql-go 15.31.5之前版本存在安全漏洞,该漏洞源于OverlappingFieldsCanBeMerged验证规则对共享相同响应名称的字段执行O(n²)成对比较,可能导致攻击者发送包含数千个重复相同字段的查询,在验证期间消耗过多CPU。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| webonyx | graphql-php | < 15.31.5 | - |
II. Public POCs for CVE-2026-40476
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40476
请登录查看更多情报信息。
Advisory · 1
IV. Related Vulnerabilities
Same weakness: CWE-407
- CVE-2026-45186
libexpat 安全漏洞 - CVE-2026-42245
net-imap: Quadratic complexity when reading response literal - CVE-2026-43967
Quadratic fragment-name uniqueness check causes denial of se - CVE-2026-35599
Vikunja has an Algorithmic Complexity DoS in Repeating Task - CVE-2026-6042
musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic c
V. Comments for CVE-2026-40476
No comments yet