CVE-2026-35523
Authentication Bypass in Strawberry GraphQL WebSocket Subscriptions
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strawberry | strawberry_graphql | to 0.312.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35523 is an authentication bypass vulnerability in the strawberry-graphql Python library, affecting versions up to 0.312.2. The issue occurs in the handling of WebSocket subscription endpoints when using the legacy graphql-ws subprotocol. The server does not verify that a connection_init handshake message has been completed before processing start (subscription) messages. This allows a remote attacker to bypass the on_ws_connect authentication hook by connecting with the graphql-ws subprotocol and sending a start message directly, without sending the required connection_init message.
The newer graphql-transport-ws subprotocol is not vulnerable because it enforces gating of subscription operations based on a connection_acknowledged flag. Both subprotocols are enabled by default, so applications relying on the on_ws_connect hook for authentication or authorization are susceptible to this bypass.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to bypass authentication on WebSocket subscription endpoints in strawberry-graphql applications using the legacy graphql-ws subprotocol. Because the attacker can skip the authentication hook entirely, they may gain unauthorized access to subscription data or services.
The CVSS v3 base score is 7.5 (High severity), indicating a significant risk. The attack requires no privileges and no user interaction, and it can be performed remotely over the network. The impact is high on confidentiality, meaning sensitive data could be exposed, but there is no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring WebSocket connections to your Strawberry GraphQL API, specifically looking for connections using the legacy `graphql-ws` subprotocol where a `start` message is sent without a preceding `connection_init` handshake.
You can inspect WebSocket traffic by capturing packets or using WebSocket debugging tools to check the `Sec-WebSocket-Protocol` header for `graphql-ws` and verify if `connection_init` messages are missing before `start` messages.
Example commands to detect this behavior might include using `tcpdump` or `Wireshark` to capture WebSocket traffic on the relevant port and filter for the `Sec-WebSocket-Protocol` header:
- tcpdump -i <interface> -A -s 0 'tcp port <graphql-websocket-port>' | grep 'Sec-WebSocket-Protocol: graphql-ws'
- Use WebSocket debugging tools or browser developer tools to inspect WebSocket frames and verify the sequence of messages, ensuring that `connection_init` is sent before any `start` messages.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your Strawberry GraphQL package to version 0.312.3 or later where the authentication bypass issue is fixed.
Alternatively, if upgrading is not immediately possible, explicitly disable the legacy `graphql-ws` subprotocol by configuring your GraphQL view or router to use only the `graphql-transport-ws` subprotocol. This can be done by setting `subscription_protocols=[GRAPHQL_TRANSPORT_WS_PROTOCOL]` in your configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass authentication on WebSocket subscription endpoints, potentially exposing sensitive data without proper authorization.
Such unauthorized access can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Therefore, applications using vulnerable versions of strawberry-graphql may fail to comply with these standards due to the risk of unauthorized data exposure.
Mitigating the vulnerability by upgrading to version 0.312.3 or later, or disabling the legacy subprotocol, is necessary to maintain compliance.