CVE-2026-44545
Analyzed Analyzed - Analysis Complete
Daphne WebSocket Memory Exhaustion Flaw

Publication date: 2026-06-03

Last updated on: 2026-06-15

Assigner: Django Software Foundation

Description
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-15
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-44545
EUVD
EUVD-2026-34091
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
djangoproject daphne to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Daphne ASGI server versions before 4.2.2. Daphne did not enforce limits on the size of WebSocket messages or frames when passing them to the Autobahn library. Autobahn defaults these sizes to unlimited (0), allowing an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames.

Because of this lack of size restriction, an attacker can cause excessive memory consumption on the server, leading to a denial of service (DoS) condition.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) attack. An attacker can send very large WebSocket messages or frames to the server, which consumes excessive memory resources.

This excessive memory consumption can degrade server performance or cause the server to crash, making the service unavailable to legitimate users.

Detection Guidance

This vulnerability involves the ability of an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames to a Daphne server before version 4.2.2, causing excessive memory consumption and denial of service.

Detection can involve monitoring WebSocket traffic for unusually large message or frame sizes that exceed typical usage patterns.

Since Daphne 4.2.2 introduced command-line flags to limit WebSocket message and frame sizes, you can check your Daphne server configuration for the presence or absence of these limits.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade Daphne to version 4.2.2 or later where the issue is fixed.

Configure the WebSocket message and frame size limits using the new command-line flags or Server constructor arguments introduced in version 4.2.2:

  • --websocket-max-message-size (default 1 MiB)
  • --websocket-max-frame-size (default 1 MiB)

Avoid setting these values to 0, as that restores the previous unlimited behavior and leaves the server vulnerable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44545. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart