CVE-2026-30241: CVE-2026-30241: Missing Query Depth Validation in Mercurius GraphQL Subscriptions

CVE-2026-30241: Missing Query Depth Validation in Mercurius GraphQL Subscriptions Vulnerability ID: CVE-2026-30241 CVSS Score: 2.7 Published: 2026-03-06 A logic vulnerability in the Mercurius GraphQL adapter for Fastify allows attackers to bypass query depth limits using WebSocket subscriptions. While standard HTTP queries are validated against the configured queryDepth , subscription operations received via the WebSocket transport layer skip this check. This oversight allows unauthenticated remote attackers to submit arbitrarily nested queries, potentially leading to Denial of Service (DoS) via CPU and memory exhaustion when the subscription events are resolved. TL;DR Mercurius versions prior to 16.8.0 fail to apply queryDepth limits to GraphQL subscriptions over WebSockets. Attackers can exploit this to send deeply nested queries that exhaust server resources. ⚠️ Exploit Status: POC Technical Details CVE ID : CVE-2026-30241 CVSS v4.0 : 2.7 (Low) CWE : CWE-863 (Incorrect Authorization