Executive Summary

CVE-2026-35523 is an authentication bypass vulnerability in the strawberry-graphql Python library, affecting versions up to 0.312.2. The issue occurs in the handling of WebSocket subscription endpoints when using the legacy graphql-ws subprotocol. The server does not verify that a connection_init handshake message has been completed before processing start (subscription) messages. This allows a remote attacker to bypass the on_ws_connect authentication hook by connecting with the graphql-ws subprotocol and sending a start message directly, without sending the required connection_init message.

The newer graphql-transport-ws subprotocol is not vulnerable because it enforces gating of subscription operations based on a connection_acknowledged flag. Both subprotocols are enabled by default, so applications relying on the on_ws_connect hook for authentication or authorization are susceptible to this bypass.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a remote attacker to bypass authentication on WebSocket subscription endpoints in strawberry-graphql applications using the legacy graphql-ws subprotocol. Because the attacker can skip the authentication hook entirely, they may gain unauthorized access to subscription data or services.

The CVSS v3 base score is 7.5 (High severity), indicating a significant risk. The attack requires no privileges and no user interaction, and it can be performed remotely over the network. The impact is high on confidentiality, meaning sensitive data could be exposed, but there is no impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring WebSocket connections to your Strawberry GraphQL API, specifically looking for connections using the legacy `graphql-ws` subprotocol where a `start` message is sent without a preceding `connection_init` handshake.

You can inspect WebSocket traffic by capturing packets or using WebSocket debugging tools to check the `Sec-WebSocket-Protocol` header for `graphql-ws` and verify if `connection_init` messages are missing before `start` messages.

Example commands to detect this behavior might include using `tcpdump` or `Wireshark` to capture WebSocket traffic on the relevant port and filter for the `Sec-WebSocket-Protocol` header:

• tcpdump -i <interface> -A -s 0 'tcp port <graphql-websocket-port>' | grep 'Sec-WebSocket-Protocol: graphql-ws'
• Use WebSocket debugging tools or browser developer tools to inspect WebSocket frames and verify the sequence of messages, ensuring that `connection_init` is sent before any `start` messages.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade your Strawberry GraphQL package to version 0.312.3 or later where the authentication bypass issue is fixed.

Alternatively, if upgrading is not immediately possible, explicitly disable the legacy `graphql-ws` subprotocol by configuring your GraphQL view or router to use only the `graphql-transport-ws` subprotocol. This can be done by setting `subscription_protocols=[GRAPHQL_TRANSPORT_WS_PROTOCOL]` in your configuration.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass authentication on WebSocket subscription endpoints, potentially exposing sensitive data without proper authorization.

Such unauthorized access can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, applications using vulnerable versions of strawberry-graphql may fail to comply with these standards due to the risk of unauthorized data exposure.

Mitigating the vulnerability by upgrading to version 0.312.3 or later, or disabling the legacy subprotocol, is necessary to maintain compliance.

Useful 0 Not Useful 0