Vulnerability in Chillicream Graphql-platform
CVE-2026-40324
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nest…
EPSS: 0.000 (14.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Affected products
- Chillicream Graphql-platform — versions < 12.22.7, >= 13.0.0, < 13.9.16, >= 14.0.0, < 14.3.1
Weakness classification (CWE)
References
- https://github.com/ChilliCream/graphql-platform/security/advisories/GHSA-qr3m-xw4c-jqw3 (x_refsource_CONFIRM)
- https://github.com/ChilliCream/graphql-platform/pull/9528 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/pull/9530 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/pull/9531 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/commit/08c0caa42ca33c121bbed49d2db892e5bf6fb541 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/commit/4cbaf67d366f800fc1e484bc5c06dfcf27b45023 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/commit/b185eb276c9ee227bd44616ff113be7f01a66c69 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/commit/b9271e6a500484c002fd528dcd34d1a9b445480f (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/releases/tag/12.22.7 (x_refsource_MISC)
- https://github.com/ChilliCream/graphql-platform/releases/tag/13.9.16 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-40324?
- CVE-2026-40324 is a critical-severity vulnerability in Chillicream Graphql-platform, classified under Uncontrolled Recursion. CVSS score: 9.1/10. Published 2026-04-18.
- How severe is CVE-2026-40324?
- Critical severity. CVSS v3 base score is 9.1 out of 10.