CVE-2026-35526

CVE-2026-35526 concerns the Strawberry GraphQL library. Before version 0.312.3, the WebSocket subscription handlers for both graphql-transport-ws and legacy graphql-ws allocate an asyncio.Task and an associated Operation for every incoming subscribe message without enforcing a limit on active sub...

CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

Strawberry GraphQL 安全漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability. This vulnerability stemmed from the WebSocket subscription handler not limiting the number of active subscriptions per...

Strawberry GraphQL 访问控制错误漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability related to access control. This vulnerability stemmed from an WebSocket subscription endpoints’ authentication process,...

CVE-2026-35413

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...

CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

CVE-2026-35441

Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...

CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...

CVE-2026-35413

Directus CVE-2026-35413 exposes schema structure via the server_specs_graphql resolver on /graphql/system when GRAPHQL_INTROSPECTION is false. Multiple trusted sources (Directus advisories, Red Hat, OSV, Snyk, etc.) confirm that before version 11.16.1, SDL-style schema data could be retrieved by ...

CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...

strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...

GHSA-HV3W-M4G2-5X77 strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...

Allocation of Resources Without Limits or Throttling

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebSocket subscription handling process. An attacker can exhaust server resources by sending a large number of...

aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +105 more potentially affected by CVE-2026-35526 via strawberry-graphql (>=0.103.9 <=0.312.0)

strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =1.0.0, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =2.11.1 and more Source cves: CVE-2026-35526 Source advisory: SNYK:PYTHON-STRAWBERRYGRAPHQL-15922315...

aas2openapi (>=0.2.0 <=0.2.4), adelecv (>=0.0.1 <=0.0.2) +105 more potentially affected by CVE-2026-35523 via strawberry-graphql (>=0.103.9 <=0.312.0)

strawberry-graphql PYPI version =0.103.9, =0.2.0, =0.0.1, =1.0.0, =0.0.1, =2025.4.0, =2025.4.0, =0.1.1, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2rc0, =2.11.1 and more Source cves: CVE-2026-35523 Source advisory: SNYK:PYTHON-STRAWBERRYGRAPHQL-15922312...

strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

Missing Authentication for Critical Function

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the onwsconnect process. An attacker can gain unauthorized access to WebSocket subscription endpoints by connecting with the...

GHSA-VPWC-V33Q-MQ89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

BIT-PARSE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses orig...