DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35526: CVE-2026-35526: Denial of Service via Resource Exhaustion in Strawberry GraphQL Subscriptions

#security #cve #cybersecurity

CVE-2026-35526: Denial of Service via Resource Exhaustion in Strawberry GraphQL Subscriptions

Vulnerability ID: CVE-2026-35526
CVSS Score: 7.5
Published: 2026-04-06

Strawberry GraphQL prior to version 0.312.3 is vulnerable to an unauthenticated Denial of Service (DoS) attack due to unbounded resource allocation in its WebSocket subscription handlers. An attacker can exhaust server memory and CPU by sending a flood of subscription requests over a single connection.

TL;DR

Unbounded WebSocket subscriptions in Strawberry GraphQL allow unauthenticated remote attackers to exhaust server memory and CPU, leading to Denial of Service. Fixed in version 0.312.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service
  • Exploit Status: PoC
  • CISA KEV: False

Affected Systems

  • Strawberry GraphQL WebSocket implementations
  • Python ASGI applications utilizing Strawberry WebSockets
  • strawberry-graphql: < 0.312.3 (Fixed in: 0.312.3)

Code Analysis

Commit: 0977a4e

Introduced max_subscriptions_per_connection limit and enforced graphql-ws initialization requirements

Mitigation Strategies

  • Upgrade to strawberry-graphql version 0.312.3
  • Configure max_subscriptions_per_connection limits
  • Implement application-level rate limiting for WebSocket frames
  • Deploy WAF rules to detect and drop anomalous WebSocket volumetric traffic

Remediation Steps:

  1. Identify all projects importing strawberry-graphql.
  2. Update the dependency version in requirements.txt, pyproject.toml, or equivalent manifest to >=0.312.3.
  3. Explicitly configure max_subscriptions_per_connection in the GraphQL router initialization if the default of 100 is unsuitable.
  4. Execute automated test suites to ensure existing subscription functionalities operate within the new boundaries.
  5. Deploy the updated application to staging and production environments.

References

Read the full report for CVE-2026-35526 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)