CVE-2026-47707: CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter

CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter

Vulnerability ID: CVE-2026-47707
CVSS Score: 5.3
Published: 2026-06-04

A security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.

TL;DR

The MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-400 (Uncontrolled Resource Consumption)
• Attack Vector: Network (AV:N)
• CVSS v3.1: 5.3 (Medium)
• Exploit Status: Proof-of-Concept Available
• KEV Status: Not Listed
• Primary Impact: Availability (Application-level Denial of Service)

Affected Systems

• strawberry-graphql
• strawberry-graphql: >= 0.172.0, < 0.315.7 (Fixed in: 0.315.7)

Code Analysis

Commit: a69221f

fix fragment issues (#4421)

Exploit Details

• GitHub Security Advisory Research: A proof of concept demonstrates that nested alias configurations bypass the default configured MaxAliasesLimiter limits.

Mitigation Strategies

• Upgrade strawberry-graphql to version 0.315.7 or higher.
• Disable the MaxAliasesLimiter extension in configuration files if immediate patching is not possible.
• Deploy a Web Application Firewall (WAF) or validation layer to analyze incoming queries for redundant or highly nested fragment distributions.

Remediation Steps:

1. Identify all internal services employing strawberry-graphql in Python dependencies.
2. Execute pip install --upgrade "strawberry-graphql>=0.315.7" or update your pyproject.toml / requirements.txt declarations.
3. Verify that the GraphQL router initializes the MaxAliasesLimiter with safe max_alias_count configurations.
4. Run regression testing to confirm that legitimate client operations using fragments continue to work as expected.

References

• GHSA-fr49-mhgj-crfc Advisory
• Strawberry GraphQL Version 0.315.7 Release Notes
• CVE-2026-47707 CVE Record
• Patch Commit a69221f

---

Read the full report for CVE-2026-47707 on our website for more details including interactive diagrams and full exploit analysis.