External risk intelligence

GraphQL server crash can disrupt services and drop user connections

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40324

A vulnerability in the Hot Chocolate GraphQL server can let attackers crash its entire process with a crafted request, disrupting services and dropping user connections. Update immediately.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-40324

Hot Chocolate is a GraphQL server designed to process queries from external clients, commonly deployed as public-facing API endpoints for web and mobile apps. Because the vulnerability resides in the request parsing component, the attack surface is inherently exposed on any public GraphQL endpoint, fitting the definition of public-facing by design in normal use.

PCI scan relevance

PCI Relevance for CVE-2026-40324

Yes

CVE-2026-40324 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Hot Chocolate's GraphQL server allows an attacker to cause a stack overflow, leading to a denial of service and termination of the worker process. Such vulnerabilities are typically considered an automatic fail in PCI ASV scans due to their potentia

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Hot Chocolate GraphQL server allows an attacker to crash the entire worker process by sending a specially crafted, deeply nested query. This causes a `StackOverflowException` that cannot be caught, disrupting service for all users connected to that process.

  • Disrupts service for all users.
  • Affects any public GraphQL endpoint.
  • Potentially impacts business operations.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted, deeply nested GraphQL query to a vulnerable Hot Chocolate server. This would cause the parser to consume excessive stack space, leading to a denial-of-service by crashing the entire worker process. This attack requires no prior authentication and can be performed remotely.

  • Unauthenticated network access needed.
  • Target GraphQL endpoint.
  • Maliciously structured query.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for denial-of-service attacks by crashing the worker process via crafted GraphQL requests. While the vulnerability is in a component that processes requests, its exploitation may be limited due to the specific nature of the crash and the uncatchable `StackOverflowException` in .NET. Attackers might favor this type of vulnerability for disruption if it can be reliably triggered remotely with minimal effort.

  • No public exploits observed.
  • No KEV listing signals observed.
  • Vulnerability is in a core parsing function.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading Hot Chocolate to patched versions to prevent uncatchable `StackOverflowException` crashes. The vulnerability can lead to worker process termination, impacting all active requests and services.

  • Upgrade to 12.22.7, 13.9.16, 14.3.1, or 15.1.14.
  • Limit HTTP request body size at the proxy.
  • Monitor for worker process restarts.

Frequently asked questions

What is Hot Chocolate and what is it used for?

Hot Chocolate is an open-source GraphQL server. Developers use it to build APIs that allow applications to fetch data efficiently by letting clients request exactly what they need.

What is CVE-2026-40324 and what type of weakness does it represent?

CVE-2026-40324 is a vulnerability in the Hot Chocolate GraphQL server's parsing component. It's classified as CWE-674, which means it involves an unhandled exception, specifically a `StackOverflowException`, due to unchecked recursion.

How can an attacker trigger this vulnerability?

An attacker can trigger this by sending a GraphQL query with a deeply nested structure. This crafted query causes the parser to exceed its recursion depth limit, leading to a crash. Sending a query with fewer than 40KB of data can be enough.

Who should be concerned about this vulnerability?

Organizations running Hot Chocolate GraphQL servers that are internet-facing should be concerned. The Halo Surface Signal indicates this vulnerability is very likely exposed externally, as these servers commonly process requests from external clients.

What's the first step for running this technology?

The most important first step is to upgrade Hot Chocolate to a patched version. Specific versions like 12.22.7, 13.9.16, 14.3.1, or 15.1.14 include a fix for this issue.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified