Description
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the GraphQL output-field component of keystonejs keystone allows an attacker to manipulate requests in a way that consumes server resources. The issue, identified as CWE-400 and CWE-404, can lead to sustained high CPU or memory usage, effectively interrupting normal service operation for legitimate users. The vulnerability does not grant code execution or data exfiltration but can disrupt availability for a targeted system.

Affected Systems

The problem exists in the keystonejs keystone framework, specifically in the component handling GraphQL API requests, up to the version released on March 19, 2026. Any deployment of keystonejs keystone using these or earlier releases is potentially vulnerable. No specific sub‑versions are listed beyond the release date cutoff.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the moderate severity range, and the EPSS score is currently unavailable, so no exploitation probability can be quantified. It is not listed in the CISA KEV catalog, yet public proof‑of‑concept code is available and the attack can be launched remotely by sending crafted GraphQL queries designed to exhaust server resources. Until a fix is applied, the risk remains moderate but could be elevated if the vulnerable endpoint is exposed to untrusted traffic.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix from pull request #9831 in keystonejs once it has been merged, or manually apply the corresponding changes to the output‑field module to prevent resource exhaustion.
  • If the latest release has not incorporated the fix, upgrade to the most recent keystonejs keystone version that includes the patch, or temporarily disable the GraphQL endpoint for untrusted users and enforce strict query size limits.
  • Implement request throttling or rate limiting on the GraphQL API to cull excessive query traffic, and monitor CPU and memory usage for sudden spikes that might indicate exploitation attempts.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Title keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption
First Time appeared Keystonejs
Keystonejs keystone
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:*:*:*
Vendors & Products Keystonejs
Keystonejs keystone
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Keystonejs Keystone
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T12:31:20.535Z

Reserved: 2026-06-04T05:02:30.479Z

Link: CVE-2026-10802

cve-icon Vulnrichment

Updated: 2026-06-04T12:31:17.261Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T12:16:24.267

Modified: 2026-06-04T16:10:59.820

Link: CVE-2026-10802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:00:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-404

    Improper Resource Shutdown or Release