CVE-2026-9165
HIGHStackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
Title source: cnaDescription
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
References (5)
Core 5
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-9165
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2480505
https://bugzilla.redhat.com/show_bug.cgi?id=2480505
Vendor Advisory vendor-advisory
x_refsource_redhat
RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36207
Vendor Advisory vendor-advisory
x_refsource_redhat
RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36319
Vendor Advisory vendor-advisory
x_refsource_redhat
RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36625
Scores
CVSS v3
7.7
EPSS
0.0032
EPSS Percentile
23.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (4)
Red Hat/Red Hat Advanced Cluster Security 4
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.10
1783357140
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.11
1783352589
Red Hat/Red Hat Advanced Cluster Security for Kubernetes 4.9
1783357116
Published
Jul 06, 2026
Tracked Since
Jul 06, 2026