Inefficient Algorithmic Complexity

CVE-2026-40476

Medium

6.9/10

Summary

graphql-go is a Go implementation of GraphQL. In versions through 15.31.4, the "OverlappingFieldsCanBeMerged" validation rule performs O(n) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. Existing QueryDepth or QueryComplexity rules do not mitigate this. This issue has been fixed in version 15.31.5.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-407 - Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

References

Advisory

Advisory Timeline

Published Apr 17, 2026

Inefficient Algorithmic Complexity

CVE-2026-40476

Summary

CWE-407 - Inefficient Algorithmic Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS