CVE-2026-40476 webonyx CVE debrief

Who should care

Operators of internet-facing GraphQL APIs, maintainers of applications using webonyx/graphql-php, and SRE/security teams responsible for request-rate and CPU protection.

Technical summary

According to the advisory summary, the validation rule OverlappingFieldsCanBeMerged performs pairwise comparisons among fields that share a response name. A query with many repeated identical fields can therefore drive quadratic CPU usage during validation, creating a pre-execution denial of service. NVD records the vulnerable range as versions below 15.31.5 and lists CWE-407 (inefficient algorithmic complexity).

Defensive priority

Medium-to-high. Raise to high for public or untrusted GraphQL endpoints because the issue is network-reachable, unauthenticated, and impacts CPU before application logic runs.

Recommended defensive actions

• Upgrade webonyx/graphql-php to 15.31.5 or later.
• Confirm all deployed services use the fixed library version, including transitive dependencies and vendor-locked builds.
• Add monitoring for validation-time CPU spikes and anomalous GraphQL requests with excessive repeated fields.
• Rate-limit and protect public GraphQL endpoints at the edge to reduce abuse impact.
• Review whether additional request-size or validation guards are available in your deployment path, but do not rely on depth or complexity limits alone.

Evidence notes

Source corpus indicates the flaw is fixed in v15.31.5 and vulnerable through v15.31.4. NVD references the vendor advisory GHSA-68jq-c3rv-pcrr and release notes for 15.31.5. The supplied description states the issue affects the OverlappingFieldsCanBeMerged validation rule, causes O(n²) comparisons with repeated identical fields, and is not mitigated by QueryDepth or QueryComplexity rules. CVSS 4.0 vector records network, low-complexity, no-authentication, availability impact only, with CWE-407.

Official resources