CVE-2026-1174
Unknown Unknown - Not Provided
Resource Consumption Vulnerability in Birkir Prime GraphQL Alias Handler

Publication date: 2026-01-19

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1174
EUVD
EUVD-2026-3196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
birkir prime to 0.4.0.beta.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1174 is a resource consumption vulnerability in birkir prime up to version 0.4.0.beta.0, specifically affecting the /graphql endpoint of the GraphQL Alias Handler component. It allows an attacker to overload a single GraphQL query by including multiple aliases of the same field or operation, causing the server to process many identical fields under different aliases. This leads to excessive resource usage, potentially exhausting system resources and impacting availability. The attack can be performed remotely without authentication, and a proof-of-concept exploit is publicly available. [1, 2, 3]

Impact Analysis

This vulnerability can cause denial of service by exhausting system resources on the affected server, leading to reduced availability or complete unavailability of the service. Since the attack can be executed remotely without authentication, it poses a risk of service disruption to users relying on the affected birkir prime application. Additionally, it may allow attackers to bypass certain security restrictions by exploiting the alias overloading feature in GraphQL queries. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive GraphQL queries to the /graphql endpoint that contain multiple aliases of the same field or operation, which is abnormal behavior. A practical detection method is to look for POST requests with GraphQL queries that include many aliases of the same field, such as __typename. For example, using curl, one can simulate or detect such queries by inspecting logs or traffic for queries similar to the proof-of-concept: a POST request with a JSON payload containing a query with over 100 aliases (alias0 to alias100) all requesting the __typename field. Specific commands to detect such activity would involve analyzing web server logs or network traffic for these patterns. However, no explicit detection commands are provided in the resources. [3]

Mitigation Strategies

There are no known patches or fixes for this vulnerability as of the disclosure date. Immediate mitigation steps include considering replacing the affected product (birkir prime up to 0.4.0.beta.0) with an alternative product not affected by this issue. Additionally, monitoring and limiting the complexity or number of aliases in GraphQL queries to the /graphql endpoint may help reduce risk. Since the attack can be executed remotely without authentication, restricting access to the endpoint or implementing rate limiting and query complexity analysis could be temporary mitigations until a fix is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart