CVE-2026-40476: CWE-407: Inefficient Algorithmic Complexity in webonyx graphql-php
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
AI Analysis
Technical Summary
The vulnerability in graphql-php (CVE-2026-40476) arises from an inefficient algorithmic complexity in the OverlappingFieldsCanBeMerged validation rule, which performs O(n²) pairwise comparisons of fields sharing the same response name. This inefficiency allows an attacker to craft a query with a large number of repeated identical fields, leading to excessive CPU consumption during the validation phase before query execution. This can degrade service performance or cause denial of service conditions. The issue affects versions below 15.31.5 and has been addressed in version 15.31.5.
Potential Impact
Exploitation of this vulnerability can cause excessive CPU usage on servers running vulnerable versions of graphql-php, potentially leading to denial of service or degraded performance. There is no indication of privilege escalation, data leakage, or other impacts beyond resource exhaustion. Existing query depth and complexity controls do not mitigate this issue.
Mitigation Recommendations
Upgrade graphql-php to version 15.31.5 or later, where this inefficiency has been fixed. Since the vendor advisory does not specify any temporary workarounds or alternative mitigations, applying the official fix is the recommended action. Patch status is not explicitly confirmed in the advisory, but the fix is indicated by the version increment.
CVE-2026-40476: CWE-407: Inefficient Algorithmic Complexity in webonyx graphql-php
Description
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in graphql-php (CVE-2026-40476) arises from an inefficient algorithmic complexity in the OverlappingFieldsCanBeMerged validation rule, which performs O(n²) pairwise comparisons of fields sharing the same response name. This inefficiency allows an attacker to craft a query with a large number of repeated identical fields, leading to excessive CPU consumption during the validation phase before query execution. This can degrade service performance or cause denial of service conditions. The issue affects versions below 15.31.5 and has been addressed in version 15.31.5.
Potential Impact
Exploitation of this vulnerability can cause excessive CPU usage on servers running vulnerable versions of graphql-php, potentially leading to denial of service or degraded performance. There is no indication of privilege escalation, data leakage, or other impacts beyond resource exhaustion. Existing query depth and complexity controls do not mitigate this issue.
Mitigation Recommendations
Upgrade graphql-php to version 15.31.5 or later, where this inefficiency has been fixed. Since the vendor advisory does not specify any temporary workarounds or alternative mitigations, applying the official fix is the recommended action. Patch status is not explicitly confirmed in the advisory, but the fix is indicated by the version increment.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.113Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2af46bdfbbecc59986553
Added to database: 4/17/2026, 10:08:06 PM
Last enriched: 4/25/2026, 2:56:44 AM
Last updated: 6/4/2026, 12:04:20 PM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.