CVE-2026-9165
Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service
CVSS Score
7.7
EPSS Score
0.3%
EPSS Percentile
17th
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
| CWE | CWE-400 |
| Vendor | red hat |
| Product | red hat advanced cluster security for kubernetes 4.10 |
| Published | Jul 6, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for red hat red hat advanced cluster security for kubernetes 4.10
Be the first to know when new high vulnerabilities affecting red hat red hat advanced cluster security for kubernetes 4.10 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat Advanced Cluster Security for Kubernetes 4.10
All versions affected Red Hat / Red Hat Advanced Cluster Security for Kubernetes 4.11
All versions affected Red Hat / Red Hat Advanced Cluster Security for Kubernetes 4.9
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36207 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36319 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36625 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-9165 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2480505
Credits
This issue was discovered by Moritz Clasmeier (Red Hat).