CVE-2026-30241

Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.8.0

Description Mercurius does not properly enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check functions as expected for HTTP queries and mutations, but subscription queries bypass this validation. This allows a remote client to send excessively nested subscription queries via WebSocket, circumventing the intended depth restriction. In schemas containing recursive types, this can result in a denial of service due to exponential data resolution with each subscription event.

Recommendations Update to version 16.8.0 or later. Disable subscriptions and queries over WebSocket.