CVE-2026-9165

HIGH

Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service

Title source: cna
STIX 2.1

Description

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.

References (5)

Core 5
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-9165
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2480505
https://bugzilla.redhat.com/show_bug.cgi?id=2480505
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36207
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36319
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36625

Scores

CVSS v3 7.7
EPSS 0.0032
EPSS Percentile 23.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (4)
Red Hat/Red Hat Advanced Cluster Security 4
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.10 1783357140
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.11 1783352589
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.9 1783357116
Published Jul 06, 2026
Tracked Since Jul 06, 2026