Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0966

NIXPKGS-2026-0966
published on
Permalink CVE-2026-35523
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 day, 23 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse removed package strawberry 1 day, 23 hours ago
  • @LeSuisse removed package strawberry-qt6 1 day, 23 hours ago
  • @LeSuisse removed package python312Packages.strawberry-django 1 day, 23 hours ago
  • @LeSuisse removed package python313Packages.strawberry-django 1 day, 23 hours ago
  • @LeSuisse removed package pkgsRocm.python3Packages.strawberry-django 1 day, 23 hours ago
  • @LeSuisse accepted 1 day, 23 hours ago
  • @LeSuisse published on GitHub 1 day, 23 hours ago
Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.

Affected products

strawberry
  • ==< 0.312.3

Matching in nixpkgs

Ignored packages (5)

Package maintainers