CVE-2026-45739
Analyzed Analyzed - Analysis Complete
Stored XSS in Strawberry GraphQL via URL Query String

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-45739
EUVD
EUVD-2026-34270
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
strawberry strawberry_graphql From 0.288.4 (inc) to 0.315.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Strawberry GraphQL versions 0.288.4 through 0.315.3 in its bundled GraphiQL template. When users enter HTTP headers, including sensitive ones like Authorization tokens, into the GraphiQL headers editor, these header values are written into the browser's URL query string.

Because the sensitive header values are included in the URL, they can become visible in browser history, shared links, and server or proxy access logs after a page reload or when the request is shared.

This issue was introduced by a URL-sharing feature that persists queries, variables, and headers via URL parameters. The vulnerability does not allow direct execution of unauthorized operations but risks exposure of sensitive tokens.

The issue was fixed in version 0.315.4 by removing the serialization of header values into the URL while preserving local persistence and other URL-sharing features.

Impact Analysis

If you use a vulnerable version of Strawberry GraphQL and enter sensitive headers such as Authorization tokens in the GraphiQL interface, these values can be exposed unintentionally.

  • Sensitive header values may be stored in browser history, making them accessible to anyone with access to the browser.
  • Shared URLs containing these headers can leak tokens to unintended recipients.
  • Server, proxy, or CDN access logs may record these sensitive headers, increasing the risk of exposure.

While the vulnerability does not allow attackers to bypass authorization or execute operations directly, the exposure of sensitive tokens can lead to unauthorized access if those tokens are compromised.

Detection Guidance

This vulnerability can be detected by checking if sensitive HTTP headers, such as Authorization tokens, are being exposed in browser URL query strings, browser history, shared links, or server/proxy/CDN access logs after using the Strawberry GraphQL bundled GraphiQL interface.

To detect this on your system or network, you can inspect server or proxy logs for URLs containing sensitive header values like Bearer tokens.

Example commands to search logs for exposed tokens might include:

  • Using grep to find Authorization headers in logs: grep -i 'Authorization: Bearer' /path/to/access.log
  • Searching for URL query strings containing 'Authorization' or 'Bearer': grep -i 'Authorization' /path/to/access.log
  • Checking browser history or shared URLs for sensitive tokens manually or via browser developer tools.
Mitigation Strategies

Immediate mitigation steps include upgrading Strawberry GraphQL to version 0.315.4 or later, where the vulnerability is patched by removing URL serialization of header values.

If upgrading is not immediately possible, temporary mitigations include:

  • Disabling the bundled GraphiQL IDE in production environments to prevent exposure of sensitive headers.
  • Using a custom GraphiQL template that avoids serializing headers into the URL.
  • Avoid entering sensitive headers in the GraphiQL headers editor until the fix is applied.
Compliance Impact

This vulnerability causes sensitive HTTP header values, such as Authorization tokens, to be written into the browser URL query string. As a result, these sensitive values can become visible in browser history, shared links, and server/proxy/CDN access logs.

Exposure of sensitive authentication tokens or headers in logs and URLs can lead to unauthorized access or data leakage, which may violate data protection requirements under regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.

Although the vulnerability requires user interaction to enter the secret and does not allow direct bypass of authorization, the inadvertent exposure of sensitive tokens in multiple locations increases the risk of data compromise and non-compliance with standards that require secure handling of authentication credentials.

The issue was patched in version 0.315.4 by removing URL serialization of header values while preserving local persistence and other URL-sharing features, reducing the risk of sensitive data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart