CVE-2026-9165 PUBLISHED

Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service

Assigner: redhat
Reserved: 21.05.2026 Published: 06.07.2026 Updated: 06.07.2026

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVSS Score: 7.7

Product Status

Vendor Red Hat
Product Red Hat Advanced Cluster Security 4
Versions Default: affected

Workarounds

There is no complete mitigation other than installing the update once available.

Credits

  • This issue was discovered by Moritz Clasmeier (Red Hat).

References

Problem Types

  • Uncontrolled Resource Consumption CWE