strawberry-graphql
Behoben in
0.312.4
0.312.3
CVE-2026-35523 describes an authentication bypass vulnerability affecting Strawberry GraphQL versions 0.0.0 up to 0.312.2. This flaw allows attackers to bypass authentication checks on WebSocket subscription endpoints, leading to potential unauthorized access and data exposure. The vulnerability is due to insufficient handshake verification and has been resolved in version 0.312.3.
An attacker can exploit this vulnerability by connecting to the Strawberry GraphQL WebSocket subscription endpoint using the graphql-ws subprotocol. By directly sending a 'start' message without completing the connectioninit handshake, the attacker can circumvent the onws_connect authentication hook entirely. This effectively grants them access to subscribed data and functionality without proper authentication. The potential impact includes unauthorized data retrieval, modification, or even injection of malicious data into the GraphQL API, depending on the application's logic and data sensitivity. This bypass could be leveraged to gain access to sensitive user data or disrupt the service.
CVE-2026-35523 was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a POC is developed. The CVSS score of 7.5 (HIGH) reflects the potential for significant impact if exploited.
Applications utilizing Strawberry GraphQL for building GraphQL APIs, particularly those relying on WebSocket subscriptions for real-time data updates, are at risk. Systems with legacy graphql-ws subprotocol enabled are especially vulnerable. Developers who have not recently updated their Strawberry GraphQL dependencies should prioritize patching.
• python / server:
import websocket
ws = websocket.WebSocket()
ws.connect('ws://your-graphql-endpoint')
ws.send('{"id":"1","type":"subscription","payload":{"query":"subscription MySubscription { ... }","variables":{}}}
')
# If the connection proceeds without handshake verification, the system is vulnerable.disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35523 is to upgrade Strawberry GraphQL to version 0.312.3 or later, which includes the necessary handshake verification fix. If upgrading immediately is not feasible, consider implementing a temporary workaround by rigorously validating the connectioninit handshake within the onwsconnect hook. This might involve checking for specific headers or parameters expected in the handshake. Additionally, consider implementing a Web Application Firewall (WAF) rule to block connections using the graphql-ws subprotocol that do not include a valid connectioninit message. After upgrading, confirm the fix by attempting to establish a WebSocket subscription connection without sending a connection_init message; the connection should be rejected.
Aktualisieren Sie Strawberry GraphQL auf Version 0.312.3 oder höher, um die Authentifizierungs-Bypass-Schwachstelle an WebSocket-Subscription-Endpunkten zu beheben. Stellen Sie sicher, dass Sie die Strawberry GraphQL-Dokumentation für spezifische Aktualisierungsanweisungen und mögliche Konfigurationsänderungen überprüfen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35523 is a HIGH severity vulnerability in Strawberry GraphQL versions 0.0.0 through 0.312.2 that allows attackers to bypass authentication on WebSocket subscription endpoints.
If you are using Strawberry GraphQL versions 0.0.0 through 0.312.2, you are potentially affected by this vulnerability. Upgrade to 0.312.3 or later to mitigate the risk.
The recommended fix is to upgrade Strawberry GraphQL to version 0.312.3 or later. As a temporary workaround, implement rigorous handshake validation in your application logic.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-35523.
Refer to the official Strawberry GraphQL documentation and security advisories for the latest information and updates regarding CVE-2026-35523.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.