Description
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
Published: 2026-04-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the OverlappingFieldsCanBeMerged validation rule of the graphql-php library, which performs pairwise comparisons of fields that share a response name. In versions 15.31.4 and below, the algorithm scales quadratically (O(n²)), so an attacker can craft a query containing thousands of identical fields. When processed, the server expends excessive CPU time validating the request before any execution occurs, which can exhaust resources and result in a denial of service.

Affected Systems

Affected vendors are represented by webonyx:graphql-php. The flaw appears in all versions up to and including 15.31.4. The issue is corrected in version 15.31.5 and later.

Risk and Exploitability

The CVSS vector assigns a score of 6.9, indicating moderate impact, but the lack of an EPSS score and absence from the KEV list suggest exploitation is not yet documented or common. The attack requires ability to send arbitrary GraphQL queries to the endpoint; no authentication or privilege escalation is needed. Exploitation is straightforward: an attacker submits a large query, causing the server to consume disproportionate CPU, potentially impacting all users.

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 15.31.5 or later of graphql-php to remove the quadratic complexity.
  • Apply any additional query depth or complexity limits to restrict large requests at the API gateway level.
  • Monitor server CPU load and network traffic for anomalous spikes that could indicate an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on April 18, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68jq-c3rv-pcrr graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation
History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Webonyx
Webonyx graphql-php
Vendors & Products Webonyx
Webonyx graphql-php
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
Title graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Webonyx Graphql-php
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:56:57.812Z

Reserved: 2026-04-13T19:50:42.113Z

Link: CVE-2026-40476

cve-icon Vulnrichment

Updated: 2026-04-20T14:53:07.583Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T22:16:33.360

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:30Z

Weaknesses