CVE-2026-35526 Overview
CVE-2026-35526 is a Resource Exhaustion vulnerability affecting Strawberry GraphQL, a popular Python library for creating GraphQL APIs. The vulnerability exists in the WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols. These handlers allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.
Critical Impact
An unauthenticated attacker can cause server degradation or complete Out-of-Memory (OOM) crash by flooding subscribe messages through a single WebSocket connection, leading to linear memory growth and event loop saturation.
Affected Products
- Strawberry GraphQL versions prior to 0.312.3
- Applications using graphql-transport-ws protocol
- Applications using legacy graphql-ws protocol
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35526 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35526
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue resides in how Strawberry GraphQL's WebSocket subscription handlers process incoming subscribe messages. When a client establishes a WebSocket connection and sends a connection_init message, the server enters a state where it processes subscription requests.
For each subscribe message received with a unique ID, the server unconditionally spawns a new asyncio.Task and creates an associated async generator to handle the subscription. The critical flaw is that there is no mechanism to limit the number of concurrent subscriptions that can be created on a single WebSocket connection. This design allows an attacker to exhaust server resources by rapidly sending subscription requests.
Root Cause
The root cause is the absence of rate limiting or resource quotas in the WebSocket subscription handling code. The server trusts that clients will behave reasonably and does not implement defensive measures against malicious subscription flooding. Each subscription creates persistent memory allocations (tasks and generators) that remain active until explicitly cancelled or the connection closes, enabling unbounded resource consumption.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Opening a single WebSocket connection to a vulnerable Strawberry GraphQL endpoint
- Sending a connection_init message to establish the subscription protocol
- Flooding the connection with subscribe messages, each containing a unique operation ID
- Each message triggers the creation of a new asyncio.Task and async generator
- Memory consumption grows linearly with each subscription until the server either becomes unresponsive (event loop saturation) or crashes due to OOM
The attack is particularly dangerous because it requires minimal resources from the attacker—a single WebSocket connection can generate sufficient load to crash a server. For more technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35526
Indicators of Compromise
- Abnormally high number of WebSocket connections or subscriptions from single IP addresses
- Rapid increase in server memory utilization without corresponding legitimate traffic increase
- Event loop latency spikes or unresponsive GraphQL endpoints
- Server logs showing excessive subscribe messages with sequential or random unique IDs
Detection Strategies
- Monitor WebSocket connection metrics for unusual subscription patterns per connection
- Implement alerting on memory usage thresholds and asyncio task counts
- Deploy application-level logging to track subscription creation rates
- Use network traffic analysis to identify subscription flooding patterns
Monitoring Recommendations
- Configure memory usage alerts at 70-80% threshold to catch attacks before OOM
- Monitor asyncio task counts and set alerts for abnormal growth patterns
- Track WebSocket message rates per connection and flag statistical anomalies
- Implement connection-level metrics to identify single connections with excessive subscriptions
How to Mitigate CVE-2026-35526
Immediate Actions Required
- Upgrade Strawberry GraphQL to version 0.312.3 or later immediately
- Review and audit all GraphQL WebSocket endpoints for exposure
- Implement connection-level rate limiting at the reverse proxy or load balancer layer
- Consider temporarily disabling WebSocket subscriptions if upgrade is not immediately possible
Patch Information
The vulnerability has been fixed in Strawberry GraphQL version 0.312.3. The patch introduces limits on the number of active subscriptions that can be created per WebSocket connection. Organizations should update their dependencies as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy (nginx, HAProxy) with WebSocket message rate limiting
- Implement authentication requirements for WebSocket subscription endpoints
- Configure connection timeouts to automatically close long-running idle connections
- Use infrastructure-level DDoS protection services to filter malicious traffic patterns
# Example nginx rate limiting configuration for WebSocket endpoints
# Add to your nginx server block
# Define a rate limiting zone for WebSocket connections
limit_req_zone $binary_remote_addr zone=ws_limit:10m rate=10r/s;
# Apply to GraphQL WebSocket location
location /graphql/ws {
limit_req zone=ws_limit burst=20 nodelay;
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
