CVE-2026-35526
Published: 07 April 2026
Summary
CVE-2026-35526 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Strawberry Strawberry Graphql. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service attacks by implementing controls to detect and block floods of WebSocket subscribe messages that cause resource exhaustion.
Restricts resource consumption by limiting the allocation of asyncio tasks and memory for unlimited active subscriptions per WebSocket connection.
Limits the quantity of incoming subscribe messages processed per connection to prevent linear memory growth and event loop saturation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables flooding WebSocket subscribe messages to exhaust application resources (unbounded Task/Operation allocation leading to OOM/degradation), directly mapping to application exhaustion flood DoS.
NVD Description
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any…
more
limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash. This vulnerability is fixed in 0.312.3.
Deeper analysisAI
CVE-2026-35526 is a vulnerability in the Strawberry GraphQL library, a Python library for creating GraphQL APIs, affecting versions prior to 0.312.3. The issue lies in the WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols. These handlers allocate an asyncio.Task and an associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection, resulting in unbounded resource allocation, linear memory growth, and event loop saturation.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no privileges required. By opening a single WebSocket connection, sending a connection_init message, and then flooding the connection with subscribe messages using unique IDs, the attacker triggers the creation of new asyncio.Tasks and async generators for each message. This leads to server degradation or an out-of-memory (OOM) crash. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability is addressed in Strawberry GraphQL version 0.312.3. Security practitioners are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77.
Details
- CWE(s)