CVE-2026-10802 Overview
CVE-2026-10802 is a resource consumption vulnerability in KeystoneJS versions up to 20260319. The flaw resides in packages/core/src/lib/core/queries/output-field.ts within the GraphQL API endpoint component. An authenticated remote attacker with low privileges can manipulate GraphQL queries to trigger excessive resource consumption on the server. The issue is tracked as CWE-400: Uncontrolled Resource Consumption. A proof-of-concept has been published, and a pull request to address the issue is currently awaiting acceptance from the KeystoneJS maintainers.
Critical Impact
Remote attackers can degrade KeystoneJS GraphQL API availability by submitting crafted queries that exhaust server resources, affecting application responsiveness for legitimate users.
Affected Products
- KeystoneJS keystone versions up to 20260319
- Component: GraphQL API Endpoint
- File: packages/core/src/lib/core/queries/output-field.ts
Discovery Timeline
- 2026-06-04 - CVE-2026-10802 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-10802
Vulnerability Analysis
The vulnerability affects the GraphQL output field resolution logic in KeystoneJS, a headless CMS framework for Node.js. The flawed code path in output-field.ts handles how GraphQL response fields are resolved and returned to clients. An attacker can craft GraphQL queries that force the server to perform expensive operations during field resolution, leading to uncontrolled resource consumption.
The attack requires only low-privileged authenticated access and no user interaction. The exploit has been published publicly as a GitHub Gist proof-of-concept, increasing the likelihood of opportunistic exploitation against exposed KeystoneJS instances.
Root Cause
The root cause is insufficient validation and resource limiting within the GraphQL output field resolver. The code in packages/core/src/lib/core/queries/output-field.ts does not bound the work performed when processing certain query shapes. This allows attackers to construct queries that disproportionately consume CPU, memory, or database resources relative to the query's complexity score.
Attack Vector
The attack is launched remotely over the network against the GraphQL API endpoint. The attacker submits a malicious GraphQL query through the standard API interface. Because authentication with low privileges is required, exploitation is feasible by any user with API access, including registered accounts in applications that permit self-registration.
No code example is reproduced here. The technical proof-of-concept is documented in the KeystoneJS Issue #9789 and the linked GitHub Gist PoC.
Detection Methods for CVE-2026-10802
Indicators of Compromise
- Unusually long GraphQL query execution times against KeystoneJS endpoints
- Spikes in CPU or memory consumption on the Node.js process hosting KeystoneJS
- Repeated GraphQL POST requests from a single authenticated source with complex nested queries
- Application slowdowns or timeouts correlated with GraphQL API traffic
Detection Strategies
- Enable GraphQL query logging and review queries that exceed expected execution time thresholds
- Monitor for queries that request deeply nested or repeated fields against the affected resolver path
- Correlate authenticated user activity with abnormal resource utilization patterns on the application server
- Deploy GraphQL-aware web application firewall rules that flag queries exceeding complexity or depth limits
Monitoring Recommendations
- Track per-user GraphQL query rate, depth, and execution duration metrics
- Alert on sustained elevated process resource usage outside normal operating baselines
- Capture API access logs centrally and retain them for incident reconstruction
- Review authentication logs for accounts initiating high volumes of GraphQL traffic
How to Mitigate CVE-2026-10802
Immediate Actions Required
- Audit KeystoneJS deployments to identify instances running versions up to 20260319
- Restrict GraphQL API access to trusted authenticated users until a patched release is available
- Apply GraphQL query depth and complexity limits at the application or proxy layer
- Monitor the KeystoneJS Pull Request #9831 for merge status and adoption
Patch Information
At the time of publication, no official patched release is available. The fix is proposed in KeystoneJS Pull Request #9831 and is awaiting acceptance from the maintainers. Administrators should track the KeystoneJS Repository and the associated KeystoneJS Issue #9789 for release notifications.
Workarounds
- Implement GraphQL query complexity analysis using libraries such as graphql-query-complexity to reject expensive queries
- Enforce maximum query depth limits on the GraphQL schema
- Apply per-user rate limiting on the GraphQL endpoint via reverse proxy or API gateway
- Disable or restrict access to vulnerable fields and resolvers for low-privileged accounts where feasible
- Place the GraphQL endpoint behind authentication that limits exposure to internal or trusted networks
# Example: rate-limit GraphQL endpoint with nginx
limit_req_zone $binary_remote_addr zone=graphql_limit:10m rate=10r/s;
location /api/graphql {
limit_req zone=graphql_limit burst=20 nodelay;
proxy_pass http://keystone_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
