VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10802

CVE-2026-10802

Description

A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

Affected products

2

Patches

1
695dfb2c4c88

Merge 4f019c14523a178af577ab8455e52e6eee44f27a into 033a22c0bf9c5f0f1e6f133525ed4d332b8486c2

https://github.com/keystonejs/keystoneenvsecureJun 4, 2026via nvd-ref
commitPR #9831
3 files changed · +16 1
  • packages/core/package.json+3 1 modified
    @@ -273,6 +273,7 @@
     "fast-deep-equal": "^3.1.3",
     "fs-extra": "^11.0.0",
     "graphql": "^16.8.1",
+    "graphql-depth-limit": "^1.1.0",
     "graphql-upload": "^15.0.2",
     "image-size": "^2.0.0",
     "intersection-observer": "^0.12.0",
@@ -299,7 +300,8 @@
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@types/resolve": "^1.20.2",
-    "@types/uuid": "^11.0.0"
+    "@types/uuid": "^11.0.0",
+    "@types/graphql-depth-limit": "^1.1.6"
   },
   "preconstruct": {
     "entrypoints": [
  • packages/core/src/lib/express.ts+6 0 modified
    @@ -7,6 +7,8 @@ import { GraphQLError, type GraphQLFormattedError } from 'graphql'
 import { type ApolloServerOptions, ApolloServer } from '@apollo/server'
 import { ApolloServerPluginLandingPageDisabled } from '@apollo/server/plugin/disabled'
 import { ApolloServerPluginLandingPageLocalDefault } from '@apollo/server/plugin/landingPage/default'
+
+import depthLimit from 'graphql-depth-limit'
 // @ts-expect-error
 import graphqlUploadExpress from 'graphql-upload/graphqlUploadExpress.js'
 import type { KeystoneContext, KeystoneConfig } from '../types'
@@ -74,6 +76,10 @@ export async function createExpressServer(
     ...apolloConfig,
     formatError: formatError(config.graphql),
     schema: context.graphql.schema,
+    validationRules: [
+      depthLimit(config.graphql.maxDepth ?? 20),
+      ...(apolloConfig?.validationRules ?? []),
+    ],
     plugins:
       config.graphql.playground === 'apollo'
         ? apolloConfig?.plugins
  • packages/core/src/types/config/index.ts+7 0 modified
    @@ -116,9 +116,16 @@ export type KeystoneConfigPre<TypeInfo extends BaseKeystoneTypeInfo = BaseKeysto
      * @default 'schema.graphql'
      */
     extendGraphqlSchema?: (schema: GraphQLSchema) => GraphQLSchema
+
+    /**
+     * The maximum depth allowed for queries.
+     * @default 20
+     */
+    maxDepth?: number
   }
 
   lists: Record<string, ListConfig<any>>
+
   server?: {
     /** Configuration options for the cors middleware. Set to `true` to use Keystone's defaults */
     cors?: boolean | CorsOptions

Vulnerability mechanics

Root cause

"The GraphQL API endpoint does not enforce limits on query depth, leading to resource exhaustion."

Attack vector

An attacker can send a single crafted GraphQL query to exploit this vulnerability remotely. The query recursively traverses relationship fields without any depth or complexity limits. This causes an exponential increase in database operations, consuming excessive CPU and memory. The attack can be performed without authentication if the GraphQL endpoint is publicly accessible [ref_id=1].

Affected code

The vulnerability exists in the relationship resolvers within the GraphQL API, specifically in `packages/core/src/lib/core/queries/output-field.ts` and `packages/core/src/fields/types/relationship/index.ts`. These resolvers directly pass user-controlled arguments into database queries without implementing safeguards against deep nesting [ref_id=1].

What the fix does

The vulnerability is addressed by introducing a default GraphQL query depth limit of 20 levels in the Keystone configuration. The `graphql-depth-limit` package is integrated as a validation rule within the Apollo Server setup. This prevents deeply nested queries from causing exponential growth in database operations and resource consumption [ref_id=1].

Preconditions

  • networkThe attack can be launched remotely.
  • authThe attack can be performed without authentication if the GraphQL endpoint is publicly accessible [ref_id=1].

Reproduction

Assuming a common schema such as User -> Post -> author (User): ```graphql query DoS { users { posts { author { posts { author { posts { author { posts { author { id } } } } } } } } } } ``` Request Example: ```bash curl -X POST https://website-using-keystone/api/graphql \ -H 'Content-Type: application/json' \ -d '{"query":"{ users { posts { author { posts { author { posts { author { posts { author { id } } } } } } } } }"}' ``` [ref_id=1]

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.