免费扫描
HIGHCVE-2026-35526CVSS 7.5

CVE-2026-35526

翻译中…

平台

python

组件

strawberry-graphql

修复版本

0.312.4

0.312.3

AI Confidence: highNVDEPSS 0.1%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-35526 describes a denial-of-service (DoS) vulnerability within Strawberry GraphQL, a Python library for building GraphQL APIs. This flaw arises from the uncontrolled allocation of asynchronous tasks for incoming subscription messages, allowing an attacker to overwhelm the server. Versions 0.0.0 through 0.312.2 are affected; upgrading to version 0.312.3 resolves the issue.

Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件,立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock

影响与攻击场景翻译中…

The vulnerability allows an unauthenticated attacker to initiate a single WebSocket connection and then rapidly send a flood of unique subscription messages. Each message triggers the creation of a new asyncio.Task and associated Operation object, without any rate limiting. This uncontrolled task creation can quickly exhaust server resources, including CPU, memory, and potentially network bandwidth. The result is a denial of service, preventing legitimate users from accessing the GraphQL API. The blast radius extends to all users relying on the affected GraphQL endpoint, and the impact can be significant, especially in production environments.

利用背景翻译中…

This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. Active exploitation is not confirmed, but the lack of a required authentication makes it a high-priority concern.

哪些人处于风险中翻译中…

Applications utilizing Strawberry GraphQL for building GraphQL APIs, particularly those exposed to untrusted networks or lacking robust authentication mechanisms, are at risk. Shared hosting environments where multiple applications share the same server resources are especially vulnerable, as a single attacker could impact all hosted applications.

检测步骤翻译中…

• python / server:

import asyncio
import strawberry

# Check for Strawberry GraphQL version
import strawberry
print(strawberry.__version__)

# Monitor CPU and memory usage for unusual spikes during WebSocket connections
import psutil

while True:
    cpu_usage = psutil.cpu_percent(interval=1)
    memory_usage = psutil.virtual_memory().percent
    print(f'CPU Usage: {cpu_usage}%, Memory Usage: {memory_usage}%')
    asyncio.sleep(5)

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告1 份威胁报告

EPSS

0.06% (18% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityNone数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
无 — 无完整性影响。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件strawberry-graphql
供应商strawberry-graphql
影响范围修复版本
< 0.312.3 – < 0.312.30.312.4
0.312.3

弱点分类 (CWE)

CWE-770

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
披露后-2天发布补丁

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade Strawberry GraphQL to version 0.312.3 or later, which includes a fix to limit the number of active subscriptions per connection. If upgrading immediately is not feasible, consider implementing rate limiting on the WebSocket connection to restrict the number of subscription messages received per unit of time. Web application firewalls (WAFs) can be configured to detect and block suspicious patterns of subscription requests. Monitoring server resource utilization (CPU, memory) is crucial to identify potential DoS attacks.

修复方法翻译中…

Actualice Strawberry GraphQL a la versión 0.312.3 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta versión introduce límites en el número de suscripciones WebSocket activas por conexión, previniendo el consumo excesivo de recursos y posibles fallos.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-35526 — WebSocket DoS in Strawberry GraphQL?

CVE-2026-35526 is a denial-of-service vulnerability in Strawberry GraphQL versions 0.0.0 through 0.312.2, allowing attackers to exhaust server resources by flooding subscription messages.

Am I affected by CVE-2026-35526 in Strawberry GraphQL?

If you are using Strawberry GraphQL versions 0.0.0 through 0.312.2, you are potentially affected by this vulnerability. Upgrade to 0.312.3 or later to mitigate the risk.

How do I fix CVE-2026-35526 in Strawberry GraphQL?

The recommended fix is to upgrade Strawberry GraphQL to version 0.312.3 or later. Consider implementing rate limiting on WebSocket connections as a temporary workaround.

Is CVE-2026-35526 being actively exploited?

Active exploitation has not been confirmed, but the vulnerability's ease of exploitation makes it a potential target. Continuous monitoring is advised.

Where can I find the official Strawberry GraphQL advisory for CVE-2026-35526?

Refer to the Strawberry GraphQL project's official advisory and release notes for detailed information and updates: [https://strawberry.py/docs/releases](https://strawberry.py/docs/releases)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE