Cyber Resilience

CVE-2026-1171

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 54.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1171 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Birkir Prime. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-1171 is a denial-of-service vulnerability in birkir prime versions up to 0.4.0.beta.0. The flaw affects an unknown function within the /graphql file of the GraphQL Field Handler component. Manipulation of this function can trigger a denial of service, as classified under CWE-404 (Improper Resource Shutdown or Denial of Service). The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low impact on availability but no effects on confidentiality or integrity.

The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Successful exploitation leads to a denial-of-service condition, potentially disrupting service availability for affected instances of birkir prime.

Advisories from VulDB and the project's GitHub repository detail the issue, with an early report filed in birkir/prime issue #542. However, the project maintainers have not yet responded or issued patches, leaving affected versions unmitigated. No official vendor guidance on workarounds is available at this time.

An exploit for this vulnerability has been publicly disclosed and is available for use, increasing the risk of active exploitation against unpatched deployments.

EU & UK References

Vulnerability details

A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched…

more

remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of a public-facing GraphQL endpoint (T1190) to trigger application-level DoS via resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1172Same product: Birkir Prime
CVE-2026-1173Same product: Birkir Prime
CVE-2026-1174Same product: Birkir Prime
CVE-2026-1169Same product: Birkir Prime
CVE-2026-1175Same product: Birkir Prime
CVE-2024-57654Shared CWE-404
CVE-2024-57661Shared CWE-404
CVE-2024-57623Shared CWE-404
CVE-2026-1974Shared CWE-404
CVE-2025-15528Shared CWE-404

Affected Assets

birkir
prime
≤ 0.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements protections against resource-exhaustion attacks targeting the unauthenticated /graphql endpoint described in CVE-2026-1171.

prevent

Enforces access-control policy on the GraphQL Field Handler so that unauthenticated remote manipulation is blocked before it can trigger the DoS condition.

prevent

Requires validation of GraphQL field inputs, directly addressing the manipulation vector that leads to improper resource shutdown in the vulnerable handler.

References