CVE-2026-10802
Deferred Deferred - Pending Action
Resource Exhaustion in KeystoneJS GraphQL API

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulDB

Description
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-12
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-11
NVD
CVE-2026-10802
EUVD
EUVD-2026-34244
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keystonejs keystone to 20260319 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10802 is a vulnerability in KeystoneJS's GraphQL API endpoint that allows attackers to send deeply nested or circular GraphQL queries. These queries can cause excessive resource consumption on the server, leading to performance degradation or denial of service (DoS). The issue arises because KeystoneJS did not enforce limits on query depth or complexity, allowing malicious users to exploit this by crafting queries that exhaust server resources.

The vulnerability specifically affects the code handling GraphQL queries in the library packages/core/src/lib/core/queries/output-field.ts. The attack can be launched remotely without user interaction.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform Denial of Service (DoS) attacks on your KeystoneJS server. By sending deeply nested or circular GraphQL queries, attackers can cause the server to consume excessive CPU and memory resources, leading to severe performance degradation or server unavailability.

For example, a depth-16 query on a small SQLite database caused the server to hang for 38 seconds, demonstrating how resource exhaustion can disrupt normal operations.

Detection Guidance

This vulnerability involves the GraphQL API endpoint accepting deeply nested or circular queries that cause excessive resource consumption and server hangs.

To detect this vulnerability on your system, you can monitor for unusually long response times or server hangs when processing GraphQL queries, especially those with deeply nested structures.

You can also analyze GraphQL query logs to identify queries with excessive depth or circular references.

While no specific commands are provided in the resources, you might use network monitoring tools or log analysis commands such as:

  • Use grep or similar tools to search GraphQL query logs for deeply nested queries, e.g., `grep -E 'posts.*author.*posts' graphql-logs.log`
  • Monitor server resource usage with commands like `top`, `htop`, or `vmstat` during GraphQL query processing to detect resource exhaustion.
  • Use network traffic analysis tools like `tcpdump` or `wireshark` to capture and inspect GraphQL requests for suspiciously complex queries.
Mitigation Strategies

The primary mitigation is to implement a query depth limit on the Keystone GraphQL API to prevent deeply nested or circular queries from exhausting server resources.

According to the pull request addressing this issue, a default maximum query depth of 20 levels is introduced, which can be configured in the KeystoneConfig using the 'maxDepth' option.

This mitigation uses the 'graphql-depth-limit' package integrated as a validation rule in Apollo Server, enforcing the depth limit before any user-defined rules.

Until the fix is accepted and deployed, consider monitoring and restricting GraphQL query complexity manually, and apply rate limiting or authentication to reduce exposure.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart