CVE-2026-30241
Published: 06 March 2026
Summary
CVE-2026-30241 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Mercurius Project Mercurius. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely application of the vendor patch (version 16.8.0) that enforces queryDepth limits on WebSocket subscription queries.
Requires validation of all GraphQL inputs, including deeply nested subscription queries over WebSocket, to enforce depth limits and prevent exponential resource exhaustion.
Provides denial-of-service protections such as rate limiting on WebSocket connections to block resource exhaustion from arbitrarily deep subscription queries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing GraphQL service (Mercurius/Fastify) allows unauthenticated remote exploitation via WebSocket to bypass depth limits and trigger application-layer resource exhaustion/DoS on recursive schemas, directly mapping to initial access via public app exploitation and endpoint DoS via application exploitation.
NVD Description
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription…
more
queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.
Deeper analysisAI
CVE-2026-30241 is a vulnerability in Mercurius, a GraphQL adapter for Fastify, affecting versions prior to 16.8.0. The issue involves a failure to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. Depth validation is correctly applied to HTTP-based queries and mutations, but subscription queries are parsed and executed without this check, enabling remote clients to submit arbitrarily deeply nested subscription queries and bypass the intended restriction.
A remote attacker with network access can exploit this vulnerability without authentication or user interaction by establishing a WebSocket connection and sending deeply nested subscription queries. On GraphQL schemas featuring recursive types, this triggers exponential data resolution during each subscription event, leading to denial of service. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and is classified under CWE-863 (Incorrect Authorization).
Mercurius version 16.8.0 addresses this issue with a patch. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55 and the patching commit at https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986.
Details
- CWE(s)