EXECUTIVE SUMMARY:
CVE-2026-23897 describes a high-severity denial-of-service vulnerability in Apollo Server’s startStandaloneServer functionality when using the @apollo /server /standalone package. This issue affects @apollo /server versions >= 4.2.0 and < 4.13.0, >= 5.0.0 and < 5.4.0, as well as apollo-server versions 2.0.0 through 3.13.0, where specially crafted request bodies with exotic character-set encodings can trigger excessive resource consumption leading to service disruption. The flaw is exploitable over the network with low complexity and no privileges or user interaction required, resulting in a CVSS v3 score of 7.5 (High) with an impact focused on availability. Direct users of the standalone server are primarily impacted, whereas those integrating Apollo Server via middleware packages may not be affected.
RECOMMENDATION:
We strongly recommend you update @apollo /server to version 4.13.0 or 5.4.0.
REFERENCES:
The following reports contain further technical details: