Description
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
Published: 2026-07-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to submit arbitrarily deep GraphQL queries to the Central API. Those requests consume large amounts of CPU and memory, exhausting resources in the management plane and causing a denial of service. The weakness is a classic resource exhaustion condition.

Affected Systems

Red Hat Advanced Cluster Security 4 for Kubernetes is affected. No further sub‑version detail is provided, so all instances running version 4 are at risk.

Risk and Exploitability

The CVSS score of 7.7 marks it as high severity, but the EPSS score of less than 1% indicates a very low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack requires an authenticated user with a valid API token; an attacker needs to obtain or be granted API credentials before being able to exploit the flaw.

Generated by OpenCVE AI on July 6, 2026 at 17:01 UTC.

Remediation

Vendor Workaround

There is no complete mitigation other than installing the update once available.


OpenCVE Recommended Actions

  • Apply the vendor patch for Red Hat Advanced Cluster Security as soon as it becomes available.
  • Limit API token usage to the minimum set of users who truly need access and de‑provision unused tokens.
  • Monitor Central for unusually deep GraphQL queries or high resource usage; if possible, enforce a temporary depth limit or reject requests that exceed a safe threshold.

Generated by OpenCVE AI on July 6, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
Title Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
First Time appeared Redhat
Redhat advanced Cluster Security
Weaknesses CWE-400
CPEs cpe:/a:redhat:advanced_cluster_security:4
Vendors & Products Redhat
Redhat advanced Cluster Security
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Redhat Advanced Cluster Security
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-06T08:46:22.139Z

Reserved: 2026-05-21T12:54:16.202Z

Link: CVE-2026-9165

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-06T08:38:30Z

Links: CVE-2026-9165 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption