Cyber Resilience

CVE-2026-23897

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 17.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23897 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Apollographql Apollo Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23897 is a denial-of-service (DoS) vulnerability in Apollo Server, an open-source, spec-compliant GraphQL server compatible with any GraphQL client. It affects the default configuration of startStandaloneServer from the @apollo/server/standalone package in versions 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0. The flaw arises from specially crafted request bodies using exotic character set encodings and does not impact users integrating @apollo/server via packages like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1333.

Any unauthenticated remote attacker with network access to the server can exploit this vulnerability with low complexity and no user interaction required. By sending malicious requests with exotic encodings, the attacker triggers excessive resource consumption, leading to a denial of service that disrupts server availability.

The official mitigation guidance is detailed in the Apollo Server GitHub security advisory (GHSA-mp6q-xf9x-fwf7), along with fixing commits d25a5bdc377826ad424fcf7f8d1d062055911643 and e9d49d163a86b8a33be56ed27c494b9acd5400a4. Security practitioners should upgrade to patched versions beyond the affected ranges and review deployments using startStandaloneServer directly.

EU & UK References

Vulnerability details

Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is…

more

vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application-layer resource exhaustion DoS via crafted input exploiting a server-side parsing flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2026-30925Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-1388Shared CWE-1333

Affected Assets

apollographql
apollo server
2.0.0 — 3.13.0 · 4.2.0 — 4.13.0 · 5.0.0 — 5.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely installation of vendor patches for the DoS flaw in Apollo Server's startStandaloneServer handling of exotic character set encodings.

preventdetect

Implements denial-of-service protections that limit the effects of resource exhaustion attacks from specially crafted GraphQL request bodies with exotic encodings.

prevent

Enforces validation of request body inputs to reject malformed or exotic character set encodings that trigger excessive resource consumption in Apollo Server.

References