CVE-2026-43967— Quadratic fragment-name uniqueness check causes denial of service in absinthe
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43967
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Source: NVD (National Vulnerability Database)
Vulnerability Description
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
算法复杂性
Source: NVD (National Vulnerability Database)
Vulnerability Title
Absinthe 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Absinthe是Absinthe开源的一个基于Elixir的GraphQL实现框架。 Absinthe 1.2.0至1.10.2之前版本存在安全漏洞,该漏洞源于片段名称唯一性验证存在二次算法复杂度问题,可能导致未经身份验证的拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| absinthe-graphql | absinthe | 1.2.0 ~ 1.10.2 | cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* | |
| absinthe-graphql | absinthe | 0b46e3bcc06c0d3797bacd64761b908a84646c1d ~ 223600c520493dcaf95080af552c413099f92c9d | cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-43967
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43967
请登录查看更多情报信息。
- EEF-CVE-2026-43967 - OSVrelated
- Quadratic fragment-name uniqueness check · Advisory · absinthe-graphql/absinthe · GitHubvendor-advisoryrelated
- https://nvd.nist.gov/vuln/detail/CVE-2026-43967
Same Patch Batch · absinthe-graphql · 2026-05-08 · 3 CVEs total
| CVE-2026-42793 | Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe | |
| CVE-2026-42794 | Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug |
IV. Related Vulnerabilities
Same weakness: CWE-407
- CVE-2026-45186
libexpat<2.8.1 XML输入拒绝服务漏洞 - CVE-2026-42245
net-imap: Quadratic complexity when reading response literal - CVE-2026-40476
graphql-php: Denial of Service via quadratic complexity in O - CVE-2026-35599
Vikunja has an Algorithmic Complexity DoS in Repeating Task - CVE-2026-6042
musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic c
V. Comments for CVE-2026-43967
No comments yet