CVE-2026-40476

Name of the Vulnerable Software and Affected Versions graphql-go versions prior to 15.31.5

Description The OverlappingFieldsCanBeMerged validation rule exhibits quadratic time complexity when processing queries containing numerous repeated fields that share the same response name. Specifically, the collectConflictsWithin() function performs O(n²) pairwise comparisons of these fields. An attacker can exploit this by sending a crafted query with thousands of identical fields, leading to excessive CPU usage and resource exhaustion during the validation phase, before execution begins. This issue is not mitigated by existing QueryDepth or QueryComplexity rules.

Recommendations Update to version 15.31.5.