<Vulnerability name="CVE-2026-9165">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-06T08:38:30</PublicDate>
    <Bugzilla id="2480505" url="https://bugzilla.redhat.com/show_bug.cgi?id=2480505" xml:lang="en:us">
stackrox: stackrox: Unbounded GraphQL query depth allows authenticated denial of service
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-400</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Product Security is aware of this issue affecting RHACS Central. This flaw allows an authenticated user to reduce availability of the Central management component. Red Hat is not aware of malicious exploitation of this issue outside of coordinated testing. Updates addressing this issue will be released according to the RHACS support lifecycle. Refer to the associated errata when available for affected versions and update instructions.
    </Statement>
    <Acknowledgement xml:lang="en:us">
This issue was discovered by Moritz Clasmeier (Red Hat).
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
There is no complete mitigation other than installing the update once
available.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:advanced_cluster_security:4.10::el8">
        <ProductName>Red Hat Advanced Cluster Security for Kubernetes 4.10</ProductName>
        <ReleaseDate>2026-07-08T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36625">RHSA-2026:36625</Advisory>
        <Package name="advanced-cluster-security/rhacs-main-rhel8">advanced-cluster-security/rhacs-main-rhel8:1783357140</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:advanced_cluster_security:4.11::el9">
        <ProductName>Red Hat Advanced Cluster Security for Kubernetes 4.11</ProductName>
        <ReleaseDate>2026-07-07T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36207">RHSA-2026:36207</Advisory>
        <Package name="advanced-cluster-security/rhacs-main-rhel9">advanced-cluster-security/rhacs-main-rhel9:1783352589</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:advanced_cluster_security:4.9::el8">
        <ProductName>Red Hat Advanced Cluster Security for Kubernetes 4.9</ProductName>
        <ReleaseDate>2026-07-07T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36319">RHSA-2026:36319</Advisory>
        <Package name="advanced-cluster-security/rhacs-main-rhel8">advanced-cluster-security/rhacs-main-rhel8:1783357116</Package>
    </AffectedRelease>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9165
https://nvd.nist.gov/vuln/detail/CVE-2026-9165
    </References>
</Vulnerability>