{"api_version":"1","generated_at":"2026-07-07T18:15:52+00:00","cve":"CVE-2026-9165","urls":{"html":"https://cve.report/CVE-2026-9165","api":"https://cve.report/api/cve/CVE-2026-9165.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9165","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9165"},"summary":{"title":"Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service","description":"A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-07-06 09:16:39","updated_at":"2026-07-07 16:16:41"},"problem_types":["CWE-400","CWE-400 Uncontrolled Resource Consumption"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-9165","name":"https://access.redhat.com/security/cve/CVE-2026-9165","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480505","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2480505","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:36319","name":"https://access.redhat.com/errata/RHSA-2026:36319","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9165","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9165","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Advanced Cluster Security for Kubernetes 4.9","version":"unaffected 1783357116 * rpm","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-21T00:00:00.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-07-06T08:38:30.568Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"There is no complete mitigation other than installing the update once\navailable.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"This issue was discovered by Moritz Clasmeier (Red Hat).","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"9165","cve":"CVE-2026-9165","epss":"0.002600000","percentile":"0.173530000","score_date":"2026-07-06","updated_at":"2026-07-07 00:05:10"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9165","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-07T14:00:57.848857Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-07T14:01:10.575Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:advanced_cluster_security:4.9::el8"],"defaultStatus":"affected","packageName":"advanced-cluster-security/rhacs-main-rhel8","product":"Red Hat Advanced Cluster Security for Kubernetes 4.9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1783357116","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"This issue was discovered by Moritz Clasmeier (Red Hat)."}],"datePublic":"2026-07-06T08:38:30.568Z","descriptions":[{"lang":"en","value":"A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-07T15:11:04.279Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:36319","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36319"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-9165"},{"name":"RHBZ#2480505","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480505"}],"timeline":[{"lang":"en","time":"2026-05-21T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-07-06T08:38:30.568Z","value":"Made public."}],"title":"Stackrox: stackrox: unbounded graphql query depth allows authenticated denial of service","workarounds":[{"lang":"en","value":"There is no complete mitigation other than installing the update once\navailable."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-400: Uncontrolled Resource Consumption"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-9165","datePublished":"2026-07-06T08:46:22.139Z","dateReserved":"2026-05-21T12:54:16.202Z","dateUpdated":"2026-07-07T15:11:04.279Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-06 09:16:39","lastModifiedDate":"2026-07-07 16:16:41","problem_types":["CWE-400","CWE-400 Uncontrolled Resource Consumption"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T14:00:57.848857Z","id":"CVE-2026-9165","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9165","Ordinal":"1","Title":"Stackrox: stackrox: unbounded graphql query depth allows authent","CVE":"CVE-2026-9165","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9165","Ordinal":"1","NoteData":"A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.","Type":"Description","Title":"Stackrox: stackrox: unbounded graphql query depth allows authent"}]}}}