Cyber Resilience

CVE-2026-35523

High

Published: 07 April 2026

Published
07 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35523 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Strawberry Strawberry Graphql. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35523 is an authentication bypass vulnerability in the Strawberry GraphQL library, which is used for creating GraphQL APIs. Versions up to 0.312.3 are affected specifically in the handling of WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages, enabling attackers to circumvent authentication mechanisms.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By connecting via the graphql-ws subprotocol and sending a start message directly without the connection_init step, the attacker skips the on_ws_connect authentication hook entirely. This grants access to sensitive subscription data, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated CWE-306 (Missing Authentication for Critical Function).

The vulnerability is addressed in Strawberry GraphQL version 0.312.3. Practitioners should upgrade to this version or later to mitigate the issue. Additional details are available in the security advisory at https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89.

EU & UK References

Vulnerability details

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before…

more

processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The authentication bypass in the public-facing GraphQL WebSocket endpoint directly enables exploitation of public-facing applications (T1190) to gain unauthorized access to subscription data without completing the required handshake.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35526Same product: Strawberry Strawberry Graphql
CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306
CVE-2026-27446Shared CWE-306
CVE-2026-21446Shared CWE-306
CVE-2021-47891Shared CWE-306
CVE-2025-41715Shared CWE-306
CVE-2026-24790Shared CWE-306
CVE-2025-21524Shared CWE-306
CVE-2025-53072Shared CWE-306

Affected Assets

strawberry
strawberry graphql
≤ 0.312.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, requiring verification of the connection_init handshake before processing WebSocket start messages to prevent authentication bypass.

prevent

Provides timely remediation by patching the Strawberry GraphQL library to version 0.312.3 or later, directly fixing the flawed graphql-ws handler.

prevent

Protects WebSocket session authenticity by ensuring proper authentication handshake completion prior to subscription data access.

References