NIXPKGS-2026-0966

GitHub issue published 1 month, 4 weeks ago

Permalink CVE-2026-35523

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 month, 4 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 4 weeks ago
@LeSuisse ignored
5 packages
- strawberry
- strawberry-qt6
- python312Packages.strawberry-django
- python313Packages.strawberry-django
- pkgsRocm.python3Packages.strawberry-django
1 month, 4 weeks ago
@LeSuisse accepted 1 month, 4 weeks ago
@LeSuisse published on GitHub 1 month, 4 weeks ago

Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.