Overlapping Fields Vulnerability in graphql-go by Webonyx
CVE-2026-40476

6.9MEDIUM

Key Information:

Vendor: Webonyx
Status: Graphql-PHP
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40476?

The graphql-go library, a Go implementation of GraphQL, suffers from a performance issue due to its OverlappingFieldsCanBeMerged validation rule. In versions 15.31.4 and below, this rule performs O(n²) pairwise comparisons for fields that share the same response name. As a result, an attacker could exploit this vulnerability by sending queries with a large number of repeated identical fields, leading to excessive CPU usage during the validation phase before query execution begins. This significant inefficiency is not addressed by the existing QueryDepth or QueryComplexity defenses. The issue has been resolved in version 15.31.5.

Affected Version(s)

graphql-php < 15.31.5

References

https://github.com/webonyx/graphql-php/security/advisorie...

x_refsource_CONFIRM

https://github.com/webonyx/graphql-php/releases/tag/v15.31.5

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

CVE-2026-40476 Data

JSON