Vulnerability Details CVE-2026-40476
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU usage during validation before execution begins. This is not mitigated by existing QueryDepth or QueryComplexity rules. This issue has been fixed in version 15.31.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.6%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-40476
-
cpe:2.3:a:webonyx:graphql-php:0.1
-
cpe:2.3:a:webonyx:graphql-php:0.10.0
-
cpe:2.3:a:webonyx:graphql-php:0.10.1
-
cpe:2.3:a:webonyx:graphql-php:0.10.2
-
cpe:2.3:a:webonyx:graphql-php:0.11.0
-
cpe:2.3:a:webonyx:graphql-php:0.11.1
-
cpe:2.3:a:webonyx:graphql-php:0.11.2
-
cpe:2.3:a:webonyx:graphql-php:0.11.3
-
cpe:2.3:a:webonyx:graphql-php:0.11.4
-
cpe:2.3:a:webonyx:graphql-php:0.11.5
-
cpe:2.3:a:webonyx:graphql-php:0.11.6
-
cpe:2.3:a:webonyx:graphql-php:0.12.0
-
cpe:2.3:a:webonyx:graphql-php:0.12.1
-
cpe:2.3:a:webonyx:graphql-php:0.12.2
-
cpe:2.3:a:webonyx:graphql-php:0.12.3
-
cpe:2.3:a:webonyx:graphql-php:0.12.4
-
cpe:2.3:a:webonyx:graphql-php:0.12.5
-
cpe:2.3:a:webonyx:graphql-php:0.12.6
-
cpe:2.3:a:webonyx:graphql-php:0.13.0
-
cpe:2.3:a:webonyx:graphql-php:0.13.1
-
cpe:2.3:a:webonyx:graphql-php:0.13.2
-
cpe:2.3:a:webonyx:graphql-php:0.13.3
-
cpe:2.3:a:webonyx:graphql-php:0.13.4
-
cpe:2.3:a:webonyx:graphql-php:0.13.5
-
cpe:2.3:a:webonyx:graphql-php:0.13.6
-
cpe:2.3:a:webonyx:graphql-php:0.13.7
-
cpe:2.3:a:webonyx:graphql-php:0.13.8
-
cpe:2.3:a:webonyx:graphql-php:0.13.9
-
cpe:2.3:a:webonyx:graphql-php:0.2
-
cpe:2.3:a:webonyx:graphql-php:0.3
-
cpe:2.3:a:webonyx:graphql-php:0.4
-
cpe:2.3:a:webonyx:graphql-php:0.5
-
cpe:2.3:a:webonyx:graphql-php:0.5.1
-
cpe:2.3:a:webonyx:graphql-php:0.5.2
-
cpe:2.3:a:webonyx:graphql-php:0.5.3
-
cpe:2.3:a:webonyx:graphql-php:0.5.4
-
cpe:2.3:a:webonyx:graphql-php:0.5.5
-
cpe:2.3:a:webonyx:graphql-php:0.5.6
-
cpe:2.3:a:webonyx:graphql-php:0.5.7
-
cpe:2.3:a:webonyx:graphql-php:0.5.8
-
cpe:2.3:a:webonyx:graphql-php:0.5.9
-
cpe:2.3:a:webonyx:graphql-php:0.6.0
-
cpe:2.3:a:webonyx:graphql-php:0.6.1
-
cpe:2.3:a:webonyx:graphql-php:0.6.2
-
cpe:2.3:a:webonyx:graphql-php:0.6.3
-
cpe:2.3:a:webonyx:graphql-php:0.6.4
-
cpe:2.3:a:webonyx:graphql-php:0.7.0
-
cpe:2.3:a:webonyx:graphql-php:0.7.1
-
cpe:2.3:a:webonyx:graphql-php:0.7.2
-
cpe:2.3:a:webonyx:graphql-php:0.8.0
-
cpe:2.3:a:webonyx:graphql-php:0.9.0
-
cpe:2.3:a:webonyx:graphql-php:0.9.1
-
cpe:2.3:a:webonyx:graphql-php:0.9.10
-
cpe:2.3:a:webonyx:graphql-php:0.9.11
-
cpe:2.3:a:webonyx:graphql-php:0.9.12
-
cpe:2.3:a:webonyx:graphql-php:0.9.13
-
cpe:2.3:a:webonyx:graphql-php:0.9.14
-
cpe:2.3:a:webonyx:graphql-php:0.9.2
-
cpe:2.3:a:webonyx:graphql-php:0.9.3
-
cpe:2.3:a:webonyx:graphql-php:0.9.4
-
cpe:2.3:a:webonyx:graphql-php:0.9.5
-
cpe:2.3:a:webonyx:graphql-php:0.9.6
-
cpe:2.3:a:webonyx:graphql-php:0.9.7
-
cpe:2.3:a:webonyx:graphql-php:0.9.8
-
cpe:2.3:a:webonyx:graphql-php:0.9.9
-
cpe:2.3:a:webonyx:graphql-php:14.0.0
-
cpe:2.3:a:webonyx:graphql-php:14.0.1
-
cpe:2.3:a:webonyx:graphql-php:14.0.2
-
cpe:2.3:a:webonyx:graphql-php:14.1.0
-
cpe:2.3:a:webonyx:graphql-php:14.1.1
-
cpe:2.3:a:webonyx:graphql-php:14.10.0
-
cpe:2.3:a:webonyx:graphql-php:14.11.0
-
cpe:2.3:a:webonyx:graphql-php:14.11.1
-
cpe:2.3:a:webonyx:graphql-php:14.11.10
-
cpe:2.3:a:webonyx:graphql-php:14.11.2
-
cpe:2.3:a:webonyx:graphql-php:14.11.3
-
cpe:2.3:a:webonyx:graphql-php:14.11.4
-
cpe:2.3:a:webonyx:graphql-php:14.11.5
-
cpe:2.3:a:webonyx:graphql-php:14.11.6
-
cpe:2.3:a:webonyx:graphql-php:14.11.7
-
cpe:2.3:a:webonyx:graphql-php:14.11.8
-
cpe:2.3:a:webonyx:graphql-php:14.11.9
-
cpe:2.3:a:webonyx:graphql-php:14.2.0
-
cpe:2.3:a:webonyx:graphql-php:14.3.0
-
cpe:2.3:a:webonyx:graphql-php:14.4.0
-
cpe:2.3:a:webonyx:graphql-php:14.4.1
-
cpe:2.3:a:webonyx:graphql-php:14.5.0
-
cpe:2.3:a:webonyx:graphql-php:14.5.1
-
cpe:2.3:a:webonyx:graphql-php:14.6.0
-
cpe:2.3:a:webonyx:graphql-php:14.6.1
-
cpe:2.3:a:webonyx:graphql-php:14.6.2
-
cpe:2.3:a:webonyx:graphql-php:14.6.3
-
cpe:2.3:a:webonyx:graphql-php:14.6.4
-
cpe:2.3:a:webonyx:graphql-php:14.7.0
-
cpe:2.3:a:webonyx:graphql-php:14.8.0
-
cpe:2.3:a:webonyx:graphql-php:14.9.0
-
cpe:2.3:a:webonyx:graphql-php:15.0.0
-
cpe:2.3:a:webonyx:graphql-php:15.0.1
-
cpe:2.3:a:webonyx:graphql-php:15.0.2
-
cpe:2.3:a:webonyx:graphql-php:15.0.3
-
cpe:2.3:a:webonyx:graphql-php:15.1.0
-
cpe:2.3:a:webonyx:graphql-php:15.10.0
-
cpe:2.3:a:webonyx:graphql-php:15.11.0
-
cpe:2.3:a:webonyx:graphql-php:15.11.1
-
cpe:2.3:a:webonyx:graphql-php:15.11.2
-
cpe:2.3:a:webonyx:graphql-php:15.12.0
-
cpe:2.3:a:webonyx:graphql-php:15.12.1
-
cpe:2.3:a:webonyx:graphql-php:15.12.2
-
cpe:2.3:a:webonyx:graphql-php:15.12.3
-
cpe:2.3:a:webonyx:graphql-php:15.12.4
-
cpe:2.3:a:webonyx:graphql-php:15.12.5
-
cpe:2.3:a:webonyx:graphql-php:15.13.0
-
cpe:2.3:a:webonyx:graphql-php:15.14.0
-
cpe:2.3:a:webonyx:graphql-php:15.14.1
-
cpe:2.3:a:webonyx:graphql-php:15.14.2
-
cpe:2.3:a:webonyx:graphql-php:15.14.3
-
cpe:2.3:a:webonyx:graphql-php:15.15.0
-
cpe:2.3:a:webonyx:graphql-php:15.16.0
-
cpe:2.3:a:webonyx:graphql-php:15.16.1
-
cpe:2.3:a:webonyx:graphql-php:15.17.0
-
cpe:2.3:a:webonyx:graphql-php:15.18.0
-
cpe:2.3:a:webonyx:graphql-php:15.18.1
-
cpe:2.3:a:webonyx:graphql-php:15.19.0
-
cpe:2.3:a:webonyx:graphql-php:15.19.1
-
cpe:2.3:a:webonyx:graphql-php:15.2.0
-
cpe:2.3:a:webonyx:graphql-php:15.2.1
-
cpe:2.3:a:webonyx:graphql-php:15.2.2
-
cpe:2.3:a:webonyx:graphql-php:15.2.3
-
cpe:2.3:a:webonyx:graphql-php:15.2.4
-
cpe:2.3:a:webonyx:graphql-php:15.2.5
-
cpe:2.3:a:webonyx:graphql-php:15.20.0
-
cpe:2.3:a:webonyx:graphql-php:15.20.1
-
cpe:2.3:a:webonyx:graphql-php:15.21.0
-
cpe:2.3:a:webonyx:graphql-php:15.21.1
-
cpe:2.3:a:webonyx:graphql-php:15.21.2
-
cpe:2.3:a:webonyx:graphql-php:15.21.3
-
cpe:2.3:a:webonyx:graphql-php:15.22.0
-
cpe:2.3:a:webonyx:graphql-php:15.22.1
-
cpe:2.3:a:webonyx:graphql-php:15.22.2
-
cpe:2.3:a:webonyx:graphql-php:15.22.3
-
cpe:2.3:a:webonyx:graphql-php:15.22.4
-
cpe:2.3:a:webonyx:graphql-php:15.23.0
-
cpe:2.3:a:webonyx:graphql-php:15.23.1
-
cpe:2.3:a:webonyx:graphql-php:15.24.0
-
cpe:2.3:a:webonyx:graphql-php:15.25.0
-
cpe:2.3:a:webonyx:graphql-php:15.25.1
-
cpe:2.3:a:webonyx:graphql-php:15.25.2
-
cpe:2.3:a:webonyx:graphql-php:15.26.0
-
cpe:2.3:a:webonyx:graphql-php:15.27.0
-
cpe:2.3:a:webonyx:graphql-php:15.27.1
-
cpe:2.3:a:webonyx:graphql-php:15.27.2
-
cpe:2.3:a:webonyx:graphql-php:15.28.0
-
cpe:2.3:a:webonyx:graphql-php:15.29.0
-
cpe:2.3:a:webonyx:graphql-php:15.29.1
-
cpe:2.3:a:webonyx:graphql-php:15.29.2
-
cpe:2.3:a:webonyx:graphql-php:15.29.3
-
cpe:2.3:a:webonyx:graphql-php:15.29.4
-
cpe:2.3:a:webonyx:graphql-php:15.3.0
-
cpe:2.3:a:webonyx:graphql-php:15.3.1
-
cpe:2.3:a:webonyx:graphql-php:15.3.2
-
cpe:2.3:a:webonyx:graphql-php:15.30.0
-
cpe:2.3:a:webonyx:graphql-php:15.30.1
-
cpe:2.3:a:webonyx:graphql-php:15.30.2
-
cpe:2.3:a:webonyx:graphql-php:15.31.0
-
cpe:2.3:a:webonyx:graphql-php:15.31.1
-
cpe:2.3:a:webonyx:graphql-php:15.31.2
-
cpe:2.3:a:webonyx:graphql-php:15.31.3
-
cpe:2.3:a:webonyx:graphql-php:15.31.4
-
cpe:2.3:a:webonyx:graphql-php:15.4.0
-
cpe:2.3:a:webonyx:graphql-php:15.5.0
-
cpe:2.3:a:webonyx:graphql-php:15.5.1
-
cpe:2.3:a:webonyx:graphql-php:15.5.2
-
cpe:2.3:a:webonyx:graphql-php:15.5.3
-
cpe:2.3:a:webonyx:graphql-php:15.6.0
-
cpe:2.3:a:webonyx:graphql-php:15.6.1
-
cpe:2.3:a:webonyx:graphql-php:15.6.2
-
cpe:2.3:a:webonyx:graphql-php:15.6.3
-
cpe:2.3:a:webonyx:graphql-php:15.7.0
-
cpe:2.3:a:webonyx:graphql-php:15.8.0
-
cpe:2.3:a:webonyx:graphql-php:15.8.1
-
cpe:2.3:a:webonyx:graphql-php:15.9.0
-
cpe:2.3:a:webonyx:graphql-php:15.9.1