Description
Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Granian, a Rust HTTP server for Python applications, has a flaw that allows an unauthenticated client to trigger a crash. If a WebSocket upgrade request includes a Sec-WebSocket-Protocol header containing non‑ASCII bytes, the server aborts the worker process before the application is called. The result is a denial‑of‑service that can affect the availability of the entire application. The weakness is rooted in improper input validation (CWE‑20), unforeseen byte handling (CWE‑248), and unchecked resource consumption (CWE‑400).

Affected Systems

The vulnerability affects Emmett Framework's Granian server in versions 1.2.0 through 2.7.3, inclusive. The fix is present in 2.7.4 and later. System administrators should verify the installed version and plan an update accordingly.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is considered high severity, and while EPSS data is not available, the lack of authentication means any external host can carry out the attack. There is no entry in the CISA KEV catalog, but the potential for large‑scale denial of service can be serious in exposed deployments. Attackers simply send a crafted WebSocket upgrade request containing non‑ASCII characters in the protocol header; no secrets or privileges are required, making exploitation straightforward in network‑visible environments.

Generated by OpenCVE AI on May 12, 2026 at 23:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Granian to 2.7.4 or later to remove the crash path.
  • If an immediate upgrade is not possible, block unauthorized access to the WebSocket endpoint by firewall or reverse proxy rules, limiting connections to trusted hosts.
  • Enable health‑check or watchdog scripts that automatically restart any crashed worker process and log the incident for investigation.

Generated by OpenCVE AI on May 12, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrg7-482j-p6f6 Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic
History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.
Title Granian: Unauthenticated DoS via WebSocket subprotocol header panic
Weaknesses CWE-20
CWE-248
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:46:19.734Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42544

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.467

Modified: 2026-05-12T22:16:34.467

Link: CVE-2026-42544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses