CVE-2026-35526
Denial of Service via Unrestricted WebSocket Subscriptions in Strawberry GraphQL
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strawberry | strawberry_graphql | to 0.312.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-35526 is a Denial of Service (DoS) issue that can cause server degradation or an out-of-memory crash by exhausting resources through unbounded WebSocket subscriptions.
While the vulnerability impacts availability by potentially disrupting service, there is no indication that it affects confidentiality or integrity of data.
Common standards and regulations like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data and services. This vulnerability primarily threatens availability, which could lead to non-compliance if critical services are disrupted and not properly mitigated.
Therefore, organizations using affected versions of Strawberry GraphQL may face compliance risks related to availability requirements under these regulations if the vulnerability is exploited and not remediated.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on the affected server. Because the server spawns new tasks and allocates resources for every subscribe message without limits, an attacker can exhaust server memory and saturate the event loop.
As a result, the server may experience severe performance degradation or crash due to out-of-memory (OOM) conditions, making the GraphQL API unavailable to legitimate users.
Can you explain this vulnerability to me?
CVE-2026-35526 is a Denial of Service (DoS) vulnerability in the Strawberry GraphQL library versions up to 0.312.2. It affects the WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols. The vulnerability arises because the server allocates a new asyncio.Task and an associated Operation object for every incoming subscribe message without limiting the number of active subscriptions per connection.
An unauthenticated attacker can exploit this by opening a single WebSocket connection, sending a connection_init message, and then flooding the server with subscribe messages each having unique IDs. Each subscribe message causes the server to spawn a new asyncio.Task and async generator, which leads to linear memory growth and event loop saturation.
This uncontrolled resource consumption can degrade server performance or cause an out-of-memory (OOM) crash. The issue was fixed in Strawberry GraphQL version 0.312.3.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an unauthenticated attacker opening a WebSocket connection and flooding subscribe messages with unique IDs, causing resource exhaustion. Detection can focus on monitoring WebSocket connections for unusually high numbers of subscribe messages from a single connection.
You can detect potential exploitation by observing WebSocket traffic patterns and server resource usage. For example, monitoring the number of active subscriptions per connection or the number of asyncio.Tasks spawned related to WebSocket subscriptions.
- Use network monitoring tools (e.g., Wireshark or tcpdump) to capture WebSocket traffic and filter for subscribe messages.
- On the server, monitor resource usage (CPU, memory) and the number of asyncio.Tasks related to WebSocket subscriptions using Python debugging or profiling tools.
- Example command to capture WebSocket traffic on port 80 or 443: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'subscribe'
- Use application logs or add instrumentation to log the number of subscribe messages per WebSocket connection.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Strawberry GraphQL to version 0.312.3 or later, where this vulnerability is fixed.
Until the upgrade can be applied, consider implementing rate limiting or throttling on WebSocket subscribe messages per connection to prevent resource exhaustion.
Additionally, monitor server resource usage closely to detect and respond to abnormal spikes caused by potential exploitation.