Description
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

A flaw in strawberry-graphql allows an unauthenticated attacker to bypass authentication on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler fails to verify that a connection_init handshake has taken place before handling start messages. An attacker can therefore skip the on_ws_connect authentication hook and begin a subscription without providing valid credentials, potentially exposing sensitive data or enabling further interaction with the API. The weakness corresponds to an authentication bypass scenario.

Affected Systems

This vulnerability affects the strawberry-graphql library for projects using versions earlier than 0.312.3. The flaw exists in the GraphQL library itself and applies to any deployment that accepts WebSocket connections using the legacy graphql-ws subprotocol.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for remote unauthenticated exploitation. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the absence of a mitigation that requires client credentials suggests that exploitation is likely straightforward for an attacker with network access to the WebSocket endpoint.

Generated by OpenCVE AI on April 7, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade strawberry-graphql to version 0.312.3 or newer.
  • If upgrading is delayed, reconfigure the WebSocket server to enforce a connection_init handshake before processing any start messages.
  • Consider disabling the legacy graphql-ws subprotocol if it is not required for your application.

Generated by OpenCVE AI on April 7, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpwc-v33q-mq89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol
History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Strawberry strawberry Graphql
CPEs cpe:2.3:a:strawberry:strawberry_graphql:*:*:*:*:*:python:*:*
Vendors & Products Strawberry strawberry Graphql

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Strawberry
Strawberry strawberry
Vendors & Products Strawberry
Strawberry strawberry

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.
Title Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Strawberry Strawberry Strawberry Graphql
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:18:51.112Z

Reserved: 2026-04-03T02:15:39.281Z

Link: CVE-2026-35523

cve-icon Vulnrichment

Updated: 2026-04-09T16:11:58.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:31.583

Modified: 2026-04-17T20:37:20.757

Link: CVE-2026-35523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:08Z

Weaknesses