CVE-2026-40476 — HIGH (7.5)

Q: How severe is CVE-2026-40476?

CVE-2026-40476 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-40476?

Check the references section above for vendor advisories and patch information. Affected products include: Webonyx Graphql-Php.

Vulnerability Description

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Webonyx	Graphql-Php	< 15.31.5

Related Weaknesses (CWE)

CWE-407

References

https://github.com/webonyx/graphql-php/releases/tag/v15.31.5Release Notes
https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrrVendor Advisory

FAQ

What is CVE-2026-40476?

CVE-2026-40476 is a vulnerability with a CVSS score of 7.5 (HIGH). graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response na...

How severe is CVE-2026-40476?

CVE-2026-40476 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-40476?

Check the references section above for vendor advisories and patch information. Affected products include: Webonyx Graphql-Php.