CVE-2026-40476: CWE-407: Inefficient Algorithmic Complexity in webonyx graphql-php
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
AI Analysis
Technical Summary
The vulnerability in graphql-php (CVE-2026-40476) involves the OverlappingFieldsCanBeMerged validation rule performing quadratic time complexity (O(n²)) pairwise comparisons on fields sharing the same response name. This inefficient algorithmic behavior allows an attacker to craft GraphQL queries with thousands of repeated identical fields, leading to excessive CPU consumption during the validation phase. This can degrade service performance or cause denial of service conditions. The problem affects versions below 15.31.5 and is not mitigated by existing query complexity or depth limits. The issue has been addressed and fixed in version 15.31.5.
Potential Impact
Exploitation of this vulnerability can cause excessive CPU usage on servers running vulnerable versions of graphql-php during query validation, potentially leading to denial of service or degraded performance. There is no indication of privilege escalation, data leakage, or other impacts beyond resource exhaustion. Existing query complexity and depth controls do not prevent this attack vector.
Mitigation Recommendations
Upgrade graphql-php to version 15.31.5 or later, where this issue has been fixed. No other mitigations are indicated or effective against this specific vulnerability. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the description confirms the fix is included in version 15.31.5.
CVE-2026-40476: CWE-407: Inefficient Algorithmic Complexity in webonyx graphql-php
Description
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in graphql-php (CVE-2026-40476) involves the OverlappingFieldsCanBeMerged validation rule performing quadratic time complexity (O(n²)) pairwise comparisons on fields sharing the same response name. This inefficient algorithmic behavior allows an attacker to craft GraphQL queries with thousands of repeated identical fields, leading to excessive CPU consumption during the validation phase. This can degrade service performance or cause denial of service conditions. The problem affects versions below 15.31.5 and is not mitigated by existing query complexity or depth limits. The issue has been addressed and fixed in version 15.31.5.
Potential Impact
Exploitation of this vulnerability can cause excessive CPU usage on servers running vulnerable versions of graphql-php during query validation, potentially leading to denial of service or degraded performance. There is no indication of privilege escalation, data leakage, or other impacts beyond resource exhaustion. Existing query complexity and depth controls do not prevent this attack vector.
Mitigation Recommendations
Upgrade graphql-php to version 15.31.5 or later, where this issue has been fixed. No other mitigations are indicated or effective against this specific vulnerability. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the description confirms the fix is included in version 15.31.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.113Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2af46bdfbbecc59986553
Added to database: 4/17/2026, 10:08:06 PM
Last enriched: 4/17/2026, 10:23:04 PM
Last updated: 4/20/2026, 9:09:46 AM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.