MEDIUM 4.3

CVE-2026-10802: KeystoneJS GraphQL Resource Exhaustion Vulnerability

A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-400, CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10802 is a resource exhaustion vulnerability in KeystoneJS affecting the GraphQL API output field handler located in packages/core/src/lib/core/queries/output-field.ts. Classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-404 (Improper Resource Validation), the vulnerability allows authenticated attackers to trigger excessive resource consumption. The CVSS v3.1 score of 4.3 (MEDIUM) reflects a network-accessible attack requiring login credentials, with availability impact but no confidentiality or integrity compromise. A fix has been proposed via pull request pending maintainer acceptance.

Business impact

Resource exhaustion attacks can degrade API performance and availability for legitimate users. Organizations relying on KeystoneJS for customer-facing GraphQL endpoints risk service interruptions if an authenticated attacker (such as a disgruntled employee or compromised account) leverages this flaw. The impact is availability-focused rather than data-focused, making this primarily an operational risk. For SaaS providers exposing KeystoneJS APIs, this could affect service level agreements and user experience.

Affected systems

KeystoneJS versions up to and including the build dated March 19, 2026 are affected. The vulnerability is specific to the GraphQL API endpoint handler. Organizations using KeystoneJS in production should inventory their deployed versions immediately. The lack of a known vendor-supplied patch at the time of publication means temporary mitigations are necessary.

Exploitability

The vulnerability carries moderate exploitability risk. Exploitation requires valid authentication credentials, reducing the attack surface compared to unauthenticated flaws. However, public exploit information is now available, and the attack is remotely executable without special network positioning. Any authenticated user—whether an internal team member or an external account holder—can trigger the resource consumption. The simplicity of triggering resource exhaustion via GraphQL queries makes this relatively straightforward to exploit once credentials are obtained.

Remediation

Primary remediation requires applying a security patch once the pending pull request is merged and released by the KeystoneJS maintainers. Administrators should monitor the official KeystoneJS repository and security advisories for patch availability. Short-term mitigations include implementing rate limiting on GraphQL queries, restricting API access to trusted networks, enforcing strict authentication policies, and monitoring server resource utilization for anomalies indicative of resource exhaustion attacks.

Patch guidance

Verify the KeystoneJS project's official releases and security advisories for a patched version addressing CVE-2026-10802. The fix exists as a proposed pull request; once merged and released, upgrade to the patched version immediately. Follow the project's release notes for any breaking changes or migration steps. Test patches in a staging environment before production deployment. Until an official patch is released, apply the temporary mitigations outlined in the remediation section.

Detection guidance

Monitor GraphQL query patterns for anomalies such as unusually complex queries, repeated queries with high computational cost, or authenticated sessions generating excessive API load. Implement application-level logging to track query execution times and resource consumption per user session. Look for sustained high CPU or memory usage correlating with GraphQL API activity. Network and system-level alerts for resource exhaustion (high memory consumption, CPU throttling, disk I/O spikes) can help detect active exploitation. Consider implementing a Web Application Firewall (WAF) rule to limit GraphQL query complexity or depth as a defensive measure.

Why prioritize this

While the CVSS score is moderate (4.3), this vulnerability warrants timely attention because: (1) it affects API availability, a critical operational concern; (2) public exploits are available, increasing attack likelihood; (3) exploitation requires only authenticated access, a lower barrier than zero-day flaws; (4) organizations may lack awareness of the pending patch status. Priority should be elevated for organizations with strict availability requirements or those exposed to insider threats.

Risk score, explained

The CVSS v3.1 score of 4.3 reflects the following factors: Network accessibility (AV:N) and low attack complexity (AC:L) increase exposure; authentication requirement (PR:L) limits the attacker pool; no confidentiality or integrity impact (C:N/I:N) reduces severity; availability impact (A:L) is the sole harm metric. This score appropriately categorizes the vulnerability as MEDIUM severity—notable but not critical. However, the presence of public exploits and the ease of authentication-based exploitation may justify internal risk elevation for sensitive deployments.

Frequently asked questions

Does this vulnerability allow attackers to steal data or modify records?

No. CVE-2026-10802 is limited to availability impact. It enables resource exhaustion but does not provide mechanisms for data exfiltration or unauthorized modification. The risk is service disruption, not data compromise.

Can unauthenticated attackers exploit this vulnerability?

No. The vulnerability requires valid authentication credentials. Only authenticated users—internal staff, authorized API consumers, or compromised accounts—can trigger the resource exhaustion. This reduces the attack surface but does not eliminate risk from insider threats or account compromise.

What is the timeline for a security patch?

At the time of publication, a fix has been proposed in a pull request awaiting maintainer acceptance. There is no official release date. Monitor the KeystoneJS GitHub repository and official security channels for patch availability. Until then, apply the recommended mitigations.

How should we configure our API defenses?

Implement GraphQL query complexity limits, set timeouts for long-running queries, enforce rate limiting per authenticated user or API key, and monitor query execution metrics. These controls reduce the impact of resource exhaustion attempts and provide early warning of exploitation.

This analysis is based on published vulnerability data as of the date of writing. Affected version numbers, patch status, and exploitation details reflect information available at that time and may change. Organizations should verify current patch availability directly with the KeystoneJS project and consult official security advisories. This document does not constitute legal advice or a guarantee of security. Testing and deployment of any patch should occur in controlled environments before production rollout. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).