Lucene search
K

5 matches found

PyPA
PyPA
added 2026/04/07 5:16 p.m.9 views

PYSEC-2026-133

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

7.5CVSS5.7AI score0.00424EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 3:58 p.m.3 views

CVE-2026-35523

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before...

7.5CVSS5.8AI score0.00424EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/07 3:58 p.m.32 views

CVE-2026-35523

CVE-2026-35523 affects Strawberry GraphQL up to version 0.312.3, where the legacy graphql-ws WebSocket subprotocol may bypass authentication on WebSocket subscription endpoints. The root cause is that the graphql-ws handshake (connection_init) is not verified before processing start/subscription ...

7.5CVSS5.9AI score0.00424EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/06 6:0 p.m.12 views

strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

7.5CVSS5.8AI score0.00424EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/06 6:0 p.m.6 views

GHSA-VPWC-V33Q-MQ89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

7.5CVSS5.8AI score0.00424EPSS
Exploits0References6
Rows per page
Query Builder