Platform
python
Component
strawberry-graphql
Fixed in
0.312.4
0.312.3
CVE-2026-35523 describes an authentication bypass vulnerability affecting Strawberry GraphQL versions 0.0.0 up to 0.312.2. This flaw allows attackers to bypass authentication checks on WebSocket subscription endpoints, leading to potential unauthorized access and data exposure. The vulnerability is due to insufficient handshake verification and has been resolved in version 0.312.3.
An attacker can exploit this vulnerability by connecting to the WebSocket subscription endpoint using the legacy graphql-ws subprotocol. By sending a 'start' message directly without completing the connection handshake, the attacker can bypass the onwsconnect authentication hook. This effectively grants them access to subscription data and functionality without proper authentication. The impact could range from unauthorized data retrieval to potentially executing arbitrary code if the subscription logic is vulnerable. This bypass circumvents the intended security measures, allowing malicious actors to gain access to sensitive information or manipulate the GraphQL API.
CVE-2026-35523 was publicly disclosed on 2026-04-07. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35523 is to upgrade Strawberry GraphQL to version 0.312.3 or later, which includes the fix for this authentication bypass. If upgrading immediately is not feasible, consider implementing a temporary workaround by rigorously validating the connection handshake within your application logic. This might involve adding custom checks to ensure the connection_init message is received and processed before allowing any subscription messages. Additionally, review your WebSocket configuration to ensure the legacy graphql-ws subprotocol is not enabled unless absolutely necessary. After upgrading, confirm the fix by attempting to establish a WebSocket subscription connection without completing the handshake and verifying that the connection is rejected.
Update Strawberry GraphQL to version 0.312.3 or higher to mitigate the authentication bypass vulnerability in WebSocket subscription endpoints. Ensure you review the Strawberry GraphQL documentation for specific upgrade instructions and potential configuration changes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35523 is a HIGH severity vulnerability in Strawberry GraphQL versions 0.0.0 through 0.312.2 that allows attackers to bypass authentication on WebSocket subscription endpoints.
If you are using Strawberry GraphQL versions 0.0.0 through 0.312.2, you are potentially affected by this vulnerability. Upgrade to 0.312.3 or later to mitigate the risk.
The recommended fix is to upgrade Strawberry GraphQL to version 0.312.3 or later. As a temporary workaround, implement rigorous handshake validation in your application logic.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-35523.
Refer to the official Strawberry GraphQL documentation and security advisories for the latest information and updates regarding CVE-2026-35523.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.