CVE-2026-40324 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 18, 2026
Hot Chocolate - Denial of Service
Published: April 18, 2026Updated: April 18, 2026Remote Exploitable
Overview
Hot Chocolate < 12.22.7, < 13.9.16, < 14.3.1, and < 15.1.14 contain a denial of service caused by lack of recursion depth limit in Utf8GraphQLParser, letting remote attackers crash the worker process via crafted deeply nested GraphQL documents, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can crash the server process causing denial of service and dropped connections.
Mitigation
Upgrade to versions 12.22.7, 13.9.16, 14.3.1, 15.1.14 or later.
References
- https://github.com/ChilliCream/graphql-platform/pull/9528
- https://github.com/ChilliCream/graphql-platform/releases/tag/12.22.7
- https://github.com/ChilliCream/graphql-platform/releases/tag/13.9.16
- https://github.com/ChilliCream/graphql-platform/security/advisories/GHSA-qr3m-xw4c-jqw3
- https://github.com/ChilliCream/graphql-platform/commit/08c0caa42ca33c121bbed49d2db892e5bf6fb541
- https://github.com/ChilliCream/graphql-platform/pull/9530
- https://github.com/ChilliCream/graphql-platform/pull/9531
- https://github.com/ChilliCream/graphql-platform/releases/tag/14.3.1
- https://github.com/ChilliCream/graphql-platform/releases/tag/15.1.14
- https://github.com/ChilliCream/graphql-platform/commit/4cbaf67d366f800fc1e484bc5c06dfcf27b45023
- https://github.com/ChilliCream/graphql-platform/commit/b185eb276c9ee227bd44616ff113be7f01a66c69
- https://github.com/ChilliCream/graphql-platform/commit/b9271e6a500484c002fd528dcd34d1a9b445480f
Related Resources
Details
- CVE ID
- CVE-2026-40324
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- denial_of_service
- Status
- new
CWE
- CWE-674
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H