CVE-2026-35523
Published: 07 April 2026
Summary
CVE-2026-35523 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Strawberry Strawberry Graphql. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations, requiring verification of the connection_init handshake before processing WebSocket start messages to prevent authentication bypass.
Provides timely remediation by patching the Strawberry GraphQL library to version 0.312.3 or later, directly fixing the flawed graphql-ws handler.
Protects WebSocket session authenticity by ensuring proper authentication handshake completion prior to subscription data access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authentication bypass in the public-facing GraphQL WebSocket endpoint directly enables exploitation of public-facing applications (T1190) to gain unauthorized access to subscription data without completing the required handshake.
NVD Description
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before…
more
processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.
Deeper analysisAI
CVE-2026-35523 is an authentication bypass vulnerability in the Strawberry GraphQL library, which is used for creating GraphQL APIs. Versions up to 0.312.3 are affected specifically in the handling of WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages, enabling attackers to circumvent authentication mechanisms.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By connecting via the graphql-ws subprotocol and sending a start message directly without the connection_init step, the attacker skips the on_ws_connect authentication hook entirely. This grants access to sensitive subscription data, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated CWE-306 (Missing Authentication for Critical Function).
The vulnerability is addressed in Strawberry GraphQL version 0.312.3. Practitioners should upgrade to this version or later to mitigate the issue. Additional details are available in the security advisory at https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89.
Details
- CWE(s)