CVE-2026-43967
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Absinthe-GraphQL via Quadratic Fragment Validation

Publication date: 2026-05-08

Last updated on: 2026-05-22

Assigner: EEF

Description
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) β€” a full linear scan of the fragment list. The result is O(NΒ²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 Γ— 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-22
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43967
EUVD
EUVD-2026-28800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
absinthe-graphql absinthe From 1.2.0 (exc) to 1.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade the absinthe-graphql library to version 1.10.2 or later, where the vulnerability has been fixed by optimizing the fragment-name uniqueness validation algorithm from O(NΒ²) to O(N).

Until the upgrade can be applied, consider implementing request size limits or rate limiting on GraphQL queries to reduce the risk of denial-of-service attacks.

  • Upgrade absinthe-graphql to version 1.10.2 or later.
  • Apply rate limiting or throttling on GraphQL endpoints to limit the number of large queries.
  • Enforce maximum query size limits in the GraphQL server configuration to prevent excessively large fragment counts.
Executive Summary

This vulnerability is an Inefficient Algorithmic Complexity issue in the absinthe-graphql library. Specifically, it occurs in the UniqueFragmentNames validation phase, where the code performs a quadratic number of comparisons to check for duplicate fragment names in a GraphQL query.

The function iterates over all fragments and for each fragment counts how many fragments have the same name, resulting in O(NΒ²) complexity where N is the number of fragments. Since the fragments come directly from the query input, an attacker can supply a very large number of fragments to trigger this expensive validation.

This leads to a denial of service (DoS) vulnerability because processing such a large query consumes excessive CPU resources, slowing down or crashing the service without requiring authentication or special knowledge.

Impact Analysis

This vulnerability can be exploited by an attacker to cause a denial of service (DoS) on systems using the affected versions of absinthe-graphql. By sending a specially crafted GraphQL query containing a very large number of fragments, the attacker forces the server to perform an extremely high number of comparisons during validation.

The excessive computational load can degrade system performance, cause slowdowns, or even crash the service, making it unavailable to legitimate users. No authentication or special permissions are needed to exploit this issue.

Compliance Impact

This vulnerability allows an unauthenticated attacker to cause a denial-of-service (DoS) condition by exploiting an inefficient algorithm in fragment-name uniqueness validation. The impact is limited to system availability, as it can stall the server's CPU and exhaust resources.

While the vulnerability affects availability, there is no indication from the provided information that it leads to unauthorized access, data leakage, or modification of sensitive data.

Therefore, the vulnerability primarily impacts the availability aspect of security controls, which may affect compliance with standards that require system availability guarantees, such as HIPAA's availability requirements or GDPR's requirement for data availability and resilience.

However, since the vulnerability does not involve data breach or confidentiality issues, its direct effect on compliance with data protection regulations like GDPR or HIPAA is limited to potential service disruption.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large GraphQL queries containing a high number of fragment definitions, which cause excessive CPU usage due to the inefficient fragment-name uniqueness validation.

Since the vulnerability is triggered by GraphQL queries with many fragments, one detection approach is to log and analyze incoming GraphQL requests for fragment counts.

There are no specific commands provided in the resources, but you can use network monitoring tools or application logs to identify large GraphQL queries.

  • Use application-level logging to capture GraphQL query sizes and fragment counts.
  • Monitor CPU usage spikes on servers handling GraphQL requests, which may indicate exploitation attempts.
  • Use network packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze GraphQL POST requests for unusually large payloads.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart