CVE-2026-35526: strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL’s WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.
An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.
References
- github.com/advisories/GHSA-hv3w-m4g2-5x77
- github.com/strawberry-graphql/strawberry
- github.com/strawberry-graphql/strawberry/commit/0977a4e6b41b7cfe3e9d8ba84a43458a2b0c54c2
- github.com/strawberry-graphql/strawberry/releases/tag/0.312.3
- github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77
- nvd.nist.gov/vuln/detail/CVE-2026-35526
Code Behaviors & Features
Detect and mitigate CVE-2026-35526 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →