{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/resource-exhaustion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25863"}],"_cs_exploited":false,"_cs_products":["Contact Form 7 WordPress plugin"],"_cs_severities":["medium"],"_cs_tags":["wordpress","resource-exhaustion","denial-of-service","cve-2026-25863"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the \u003ccode\u003eWpcf7cfMailParser\u003c/code\u003e class. The \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple \u003ccode\u003epreg_replace()\u003c/code\u003e operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a large integer value for the iteration count parameter, which is passed directly to the \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method, lacking input validation, reads the attacker-controlled integer.\u003c/li\u003e\n\u003cli\u003eThe method initiates an unbounded loop, performing \u003ccode\u003epreg_replace()\u003c/code\u003e operations based on the attacker-supplied iteration count.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003epreg_replace()\u003c/code\u003e operation consumes server memory.\u003c/li\u003e\n\u003cli\u003eThe excessive number of iterations rapidly exhausts available server memory.\u003c/li\u003e\n\u003cli\u003eThe PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Contact Form 7 Uncontrolled Resource Consumption Attempt\u003c/code\u003e to your SIEM to detect malicious POST requests targeting the WordPress REST API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T19:16:02Z","date_published":"2026-05-04T19:16:02Z","id":"/briefs/2026-05-contact-form-7-resource-exhaustion/","summary":"The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.","title":"Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41405"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","webhook","cve-2026-41405"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw\u0026rsquo;s functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious webhook payload to the OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eOpenClaw receives the webhook request and begins parsing the request body \u003cem\u003ebefore\u003c/em\u003e JWT validation.\u003c/li\u003e\n\u003cli\u003eThe malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.\u003c/li\u003e\n\u003cli\u003eThe parsing process exhausts available server resources.\u003c/li\u003e\n\u003cli\u003eOpenClaw becomes unresponsive or crashes due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate MS Teams webhook requests are no longer processed, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Number of Requests to Teams Webhook\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-resource-exhaustion/","summary":"OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.","title":"OpenClaw MS Teams Webhook Resource Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6022"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6022","telerik","resource-exhaustion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eProgress Telerik UI for AJAX, a suite of UI components for ASP.NET AJAX, contains an uncontrolled resource consumption vulnerability within the RadAsyncUpload component. This vulnerability, identified as CVE-2026-6022, affects versions prior to 2026.1.421. The vulnerability stems from a failure to properly enforce maximum file size limits during the reassembly of file chunks uploaded via the RadAsyncUpload component. An unauthenticated attacker could exploit this vulnerability by uploading a large file in chunks, bypassing the configured maximum file size restriction. Successful exploitation leads to excessive disk space consumption on the server, potentially causing denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application using a vulnerable version of Progress Telerik UI for AJAX with the RadAsyncUpload component enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to initiate a file upload to the RadAsyncUpload endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker splits the malicious file into multiple chunks, each smaller than the initially configured maximum upload size limit.\u003c/li\u003e\n\u003cli\u003eThe attacker sends each chunk to the server using separate HTTP requests to the RadAsyncUpload endpoint.\u003c/li\u003e\n\u003cli\u003eThe server receives the chunks and stores them temporarily, without enforcing the cumulative file size.\u003c/li\u003e\n\u003cli\u003eOnce all chunks are uploaded, the RadAsyncUpload component reassembles the file.\u003c/li\u003e\n\u003cli\u003eDue to the missing cumulative size check, the reassembled file exceeds the maximum allowed file size.\u003c/li\u003e\n\u003cli\u003eThe server stores the complete, oversized file, leading to disk space exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition due to disk space exhaustion. The number of affected systems depends on the usage of the vulnerable Telerik UI for AJAX RadAsyncUpload component. Organizations in any sector using the affected Telerik component are potentially vulnerable. If successful, the attack can cause application downtime, data loss, and require administrative intervention to restore service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Progress Telerik UI for AJAX to version 2026.1.421 or later to patch CVE-2026-6022.\u003c/li\u003e\n\u003cli\u003eImplement server-side monitoring for excessive disk space usage in directories associated with RadAsyncUpload temporary file storage.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousRadAsyncUploadChunks\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload size limits to prevent resource exhaustion, as described in the Telerik documentation referenced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:12Z","date_published":"2026-04-22T08:16:12Z","id":"/briefs/2026-04-telerik-resource-exhaustion/","summary":"A vulnerability exists in Progress Telerik UI for AJAX prior to 2026.1.421, RadAsyncUpload, due to missing cumulative size enforcement during chunk reassembly, which allows file uploads to exceed the configured maximum size, leading to disk space exhaustion.","title":"Telerik UI for AJAX RadAsyncUpload Uncontrolled Resource Consumption (CVE-2026-6022)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-in-depth","resource-exhaustion","information-disclosure","dotnet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMeridian versions before 2.1.1 contain multiple vulnerabilities stemming from defense-in-depth gaps within the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e components. Two high-severity issues involve bypassing the advertised \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e and \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e safety caps, particularly when using the \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e overload or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed properties. These flaws can lead to resource exhaustion. Additional medium-severity issues include constructor invariant bypass, OpenTelemetry stack-trace information disclosure, retry amplification, and notification fan-out amplification. The vulnerabilities were patched in version 2.1.1, released on April 16, 2026. The issues affect applications using the Meridian library for object-object mapping and mediation. Successful exploitation could lead to denial-of-service conditions, information disclosure, and unexpected application behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s mapping logic utilizes \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on a collection property, triggering the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMappingEngine.TryMapCollectionOntoExisting\u003c/code\u003e method processes the collection without enforcing \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e, leading to excessive memory consumption.\u003c/li\u003e\n\u003cli\u003eCollection-item recursion fails to increment \u003ccode\u003eResolutionContext.Depth\u003c/code\u003e, allowing self-referential graphs to bypass \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e and cause a stack overflow.\u003c/li\u003e\n\u003cli\u003eThe unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker exploits the \u003ccode\u003eObjectCreator.CreateWithConstructorMapping\u003c/code\u003e vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.\u003c/li\u003e\n\u003cli\u003eThe application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the \u003ca href=\"https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\"\u003ev2.1.1 CHANGELOG\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eFor applications that cannot be immediately upgraded, avoid using \u003ccode\u003emapper.Map(src, dst)\u003c/code\u003e and \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed destination members as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eImplement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds section\u003c/a\u003e of this brief.\u003c/li\u003e\n\u003cli\u003eConsider disabling OpenTelemetry \u003ccode\u003eexception.stacktrace\u003c/code\u003e tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-17-meridian-defense-gaps/","summary":"Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.","title":"Meridian Library Multiple Defense-in-Depth Gaps","url":"https://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40116"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40116","resource-exhaustion","websocket","api-abuse","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, contains a vulnerability in versions prior to 4.5.128 that exposes the \u003ccode\u003e/media-stream\u003c/code\u003e WebSocket endpoint in its call module. This endpoint lacks authentication or Twilio signature validation, allowing any client to establish a connection. Each successful connection initiates an authenticated session to OpenAI\u0026rsquo;s Realtime API, utilizing the server\u0026rsquo;s API key. Due to the absence of rate limits, connection limits, or message size restrictions, a malicious actor can exploit this vulnerability by creating numerous concurrent connections. This can lead to the exhaustion of server resources and a significant drain on the victim\u0026rsquo;s OpenAI API credits. This vulnerability is addressed and patched in version 4.5.128.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a PraisonAI instance running a vulnerable version (prior to 4.5.128).\u003c/li\u003e\n\u003cli\u003eAttacker establishes a WebSocket connection to the \u003ccode\u003e/media-stream\u003c/code\u003e endpoint of the PraisonAI instance without providing any authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server, upon receiving the unauthenticated WebSocket connection, creates an authenticated session with the OpenAI Realtime API using its own API key.\u003c/li\u003e\n\u003cli\u003eAttacker sends a large volume of messages through the WebSocket connection, exploiting the lack of message rate limits.\u003c/li\u003e\n\u003cli\u003eAttacker initiates multiple concurrent WebSocket connections to the \u003ccode\u003e/media-stream\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server becomes overloaded due to the excessive number of connections and message processing demands.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s OpenAI API credits are rapidly depleted as the PraisonAI server processes requests from the attacker\u0026rsquo;s connections.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server experiences degraded performance or becomes completely unresponsive, impacting legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in resource exhaustion on the PraisonAI server, potentially causing denial of service for legitimate users. Furthermore, it leads to the unauthorized consumption of the victim\u0026rsquo;s OpenAI API credits, resulting in unexpected charges and potential disruption of services reliant on the OpenAI API. The number of affected organizations depends on the prevalence of vulnerable PraisonAI instances deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI installations to version 4.5.128 or later to patch CVE-2026-40116.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on WebSocket connections to the \u003ccode\u003e/media-stream\u003c/code\u003e endpoint to mitigate resource exhaustion.\u003c/li\u003e\n\u003cli\u003eMonitor OpenAI API usage for unexpected spikes in activity that may indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousPraisonAIWebSocketConnections\u003c/code\u003e to identify potential exploitation attempts by detecting a high number of connections to the \u003ccode\u003e/media-stream\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:35Z","date_published":"2026-04-09T22:16:35Z","id":"/briefs/2026-04-praisonai-websocket-vuln/","summary":"PraisonAI before version 4.5.128 is vulnerable to resource exhaustion and API credit draining due to the `/media-stream` WebSocket endpoint accepting unauthenticated connections, allowing attackers to exhaust server resources and drain OpenAI API credits.","title":"PraisonAI Unauthenticated WebSocket Allows Resource Exhaustion","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-websocket-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33756"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","graphql","cve-2026-33756","dos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSaleor, an e-commerce platform, is susceptible to a resource exhaustion vulnerability affecting versions 2.0.0 prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability stems from the platform\u0026rsquo;s support for query batching, where multiple GraphQL operations can be submitted in a single HTTP request as a JSON array. The absence of an upper limit on the number of operations within a single request allows unauthenticated attackers to bypass per-query complexity limits. By sending a single HTTP request containing a massive number of GraphQL operations, an attacker can exhaust server resources, potentially leading to denial of service. The vulnerability is addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Defenders must ensure they are running patched versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor instance running a vulnerable version (prior to 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the GraphQL endpoint (typically \u003ccode\u003e/graphql/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON array representing a batch of GraphQL queries.\u003c/li\u003e\n\u003cli\u003eThe number of GraphQL operations within the array is excessively large, designed to bypass query complexity limits.\u003c/li\u003e\n\u003cli\u003eThe Saleor server processes the HTTP request, attempting to execute all GraphQL operations within the batch.\u003c/li\u003e\n\u003cli\u003eDue to the large number of operations, the server\u0026rsquo;s resources (CPU, memory) become heavily utilized.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow or unresponsive to legitimate user requests, causing a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maintain the denial-of-service state, impacting legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in resource exhaustion on the Saleor e-commerce platform. This can lead to slow response times, application instability, and ultimately a denial-of-service condition for legitimate users. This vulnerability poses a significant risk to e-commerce businesses relying on Saleor, potentially impacting sales, customer satisfaction, and overall business operations. The number of potential victims is directly proportional to the number of Saleor installations running vulnerable versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Saleor instances to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 or later to patch CVE-2026-33756.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Volume of GraphQL Queries\u003c/code\u003e to identify potential exploitation attempts by monitoring the number of GraphQL queries within a single HTTP request in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large HTTP POST requests to the \u003ccode\u003e/graphql/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the GraphQL endpoint to restrict the number of requests from a single IP address within a defined timeframe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-saleor-resource-exhaustion/","summary":"Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.","title":"Saleor GraphQL Batch Query Resource Exhaustion Vulnerability (CVE-2026-33756)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35401"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-35401","graphql","resource-exhaustion","denial-of-service","saleor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35401 details a resource exhaustion vulnerability affecting the Saleor e-commerce platform. Present in versions 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the flaw allows an unauthenticated, remote attacker to exhaust server resources. This is achieved by sending a single API call containing numerous GraphQL mutations or queries, leveraging aliases or chaining techniques. The excessive processing load induced by these malicious requests can lead to a denial-of-service (DoS) condition. Organizations using vulnerable Saleor versions are at risk of service disruption, potentially impacting business operations and revenue. Mitigation involves upgrading to the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Saleor e-commerce platform running a vulnerable version (2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL query or mutation containing numerous aliased or chained operations. This is done to maximize server-side processing load.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL request to the Saleor platform\u0026rsquo;s API endpoint, typically \u003ccode\u003e/graphql/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Saleor server attempts to process all the queries/mutations within the single request.\u003c/li\u003e\n\u003cli\u003eThe server resources (CPU, memory, database connections) are rapidly consumed by the excessive processing demand.\u003c/li\u003e\n\u003cli\u003eThe server becomes slow and unresponsive, potentially timing out for legitimate user requests.\u003c/li\u003e\n\u003cli\u003eThe Saleor e-commerce platform experiences a denial-of-service condition, disrupting service for legitimate customers.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process to maintain the denial-of-service state, further impacting business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35401 leads to resource exhaustion on the Saleor e-commerce platform, resulting in a denial-of-service condition. This disruption can impact online sales, customer experience, and brand reputation. The number of affected systems depends on the prevalence of vulnerable Saleor installations. While the exact number of victims is unknown, any e-commerce business using an unpatched version is susceptible to service outages. Prolonged or repeated attacks can lead to significant financial losses and damage to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Saleor e-commerce platforms to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to patch CVE-2026-35401.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/graphql/\u003c/code\u003e API endpoint to mitigate the impact of excessive requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious GraphQL Volume\u003c/code\u003e to identify potential exploitation attempts based on request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:23Z","date_published":"2026-04-08T19:25:23Z","id":"/briefs/2026-04-saleor-graphql-exhaustion/","summary":"A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.","title":"Saleor GraphQL Resource Exhaustion Vulnerability (CVE-2026-35401)","url":"https://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Resource-Exhaustion","version":"https://jsonfeed.org/version/1.1"}