Cyber Posture

CVE-2026-23897

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23897 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Apollographql Apollo Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Direct mapping to application-layer resource exhaustion DoS via crafted input exploiting a server-side parsing flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is…

more

vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.

Deeper analysisAI

CVE-2026-23897 is a denial-of-service (DoS) vulnerability in Apollo Server, an open-source, spec-compliant GraphQL server compatible with any GraphQL client. It affects the default configuration of startStandaloneServer from the @apollo/server/standalone package in versions 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0. The flaw arises from specially crafted request bodies using exotic character set encodings and does not impact users integrating @apollo/server via packages like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1333.

Any unauthenticated remote attacker with network access to the server can exploit this vulnerability with low complexity and no user interaction required. By sending malicious requests with exotic encodings, the attacker triggers excessive resource consumption, leading to a denial of service that disrupts server availability.

The official mitigation guidance is detailed in the Apollo Server GitHub security advisory (GHSA-mp6q-xf9x-fwf7), along with fixing commits d25a5bdc377826ad424fcf7f8d1d062055911643 and e9d49d163a86b8a33be56ed27c494b9acd5400a4. Security practitioners should upgrade to patched versions beyond the affected ranges and review deployments using startStandaloneServer directly.

Details

CWE(s)
CWE-1333

Affected Products

apollographql
apollo server
2.0.0 — 3.13.0 · 4.2.0 — 4.13.0 · 5.0.0 — 5.4.0

CVEs Like This One

CVE-2025-70030Shared CWE-1333
CVE-2026-28356Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-1388Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2026-35213Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-30837Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2025-70034Shared CWE-1333

References