MEDIUM
webonyx
CVE published 2026-04-17
CVE-2026-40476
This CVE describes a validation-stage denial of service in GraphQL server handling. A crafted query containing thousands of repeated fields with the same response name can force the OverlappingFieldsCanBeMerged rule into O(n²) pairwise comparisons, consuming excessive CPU before execution begins. Because the work happens during validation, depth and complexity limits do not stop it. NVD maps the issue to [truncated]