{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.113Z", "datePublished": "2026-04-17T21:42:59.511Z", "dateUpdated": "2026-04-17T21:42:59.511Z"}, "containers": {"cna": {"title": "graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr"}, {"name": "https://github.com/webonyx/graphql-php/releases/tag/v15.31.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/webonyx/graphql-php/releases/tag/v15.31.5"}], "affected": [{"vendor": "webonyx", "product": "graphql-php", "versions": [{"version": "< 15.31.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:42:59.511Z"}, "descriptions": [{"lang": "en", "value": "graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n\u00b2) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5."}], "source": {"advisory": "GHSA-68jq-c3rv-pcrr", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n\u00b2) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5."}], "id": "CVE-2026-40476", "lastModified": "2026-04-17T22:16:33.360", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/webonyx/graphql-php/releases/tag/v15.31.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:52:49.049470+00:00", "value": {"mitigation_remediation": ["Upgrade to version 15.31.5 or later of graphql-php to remove the quadratic complexity.", "Apply any additional query depth or complexity limits to restrict large requests at the API gateway level.", "Monitor server CPU load and network traffic for anomalous spikes that could indicate an ongoing denial\u2011of\u2011service attempt."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected vendors are represented by webonyx:graphql-php. The flaw appears in all versions up to and including 15.31.4. The issue is corrected in version\u202f15.31.5 and later.", "description_and_impact": "The vulnerability resides in the OverlappingFieldsCanBeMerged validation rule of the graphql-php library, which performs pairwise comparisons of fields that share a response name. In versions 15.31.4 and below, the algorithm scales quadratically (O(n\u00b2)), so an attacker can craft a query containing thousands of identical fields. When processed, the server expends excessive CPU time validating the request before any execution occurs, which can exhaust resources and result in a denial of service.", "risk_and_exploitability": "The CVSS vector assigns a score of 6.9, indicating moderate impact, but the lack of an EPSS score and absence from the KEV list suggest exploitation is not yet documented or common. The attack requires ability to send arbitrary GraphQL queries to the endpoint; no authentication or privilege escalation is needed. Exploitation is straightforward: an attacker submits a large query, causing the server to consume disproportionate CPU, potentially impacting all users."}}}}, "created": "2026-04-18T09:00:05.896209+00:00", "updated": "2026-04-18T09:00:05.896220+00:00", "vendors": []}