CVE-2026-42544 Overview
CVE-2026-42544 is a denial-of-service vulnerability in Granian, a Rust-based HTTP server for Python applications. Versions 1.2.0 through 2.7.3 abort a worker process when an unauthenticated client sends a WebSocket upgrade request with non-ASCII bytes in the Sec-WebSocket-Protocol header. The crash occurs in the WebSocket scope construction path before the Asynchronous Server Gateway Interface (ASGI) application is invoked. An attacker can repeatedly trigger worker termination without authentication. The issue is fixed in Granian 2.7.4. The vulnerability is categorized under [CWE-20] Improper Input Validation.
Critical Impact
Unauthenticated remote attackers can crash Granian worker processes by sending a single malformed WebSocket upgrade request, degrading service availability.
Affected Products
- Granian HTTP server versions 1.2.0 through 2.7.3
- Python applications served via Granian using ASGI WebSocket support
- Deployments exposing Granian WebSocket endpoints to untrusted clients
Discovery Timeline
- 2026-05-12 - CVE-2026-42544 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42544
Vulnerability Analysis
Granian processes incoming WebSocket upgrade requests by parsing HTTP headers and constructing an ASGI WebSocket scope. The scope construction logic reads the Sec-WebSocket-Protocol header and converts its value before forwarding it to the Python application. When the header value contains non-ASCII bytes, the conversion fails in a way that aborts the worker process rather than returning a controlled HTTP error.
The abort occurs before the ASGI application receives the connection. Application-layer authentication, rate limiting, and middleware therefore cannot intercept the malicious request. Each successful trigger removes one worker from the serving pool until the supervisor restarts it.
An attacker can sustain denial of service by repeatedly sending crafted upgrade requests. Worker restart churn additionally consumes CPU and memory on the host.
Root Cause
The root cause is improper input validation [CWE-20] in Granian's WebSocket scope construction path. The server treats the Sec-WebSocket-Protocol header as ASCII-safe and panics on non-ASCII byte sequences instead of rejecting the request with a 400 Bad Request response.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP Upgrade: websocket request to any Granian-served WebSocket route. The request includes a Sec-WebSocket-Protocol header containing one or more non-ASCII bytes, such as 0xFF or UTF-8 multi-byte sequences. Granian's worker aborts during scope construction. The supervisor restarts the worker, but repeated requests sustain the outage. See the GitHub Security Advisory GHSA-vrg7-482j-p6f6 for technical details.
Detection Methods for CVE-2026-42544
Indicators of Compromise
- Repeated worker process abort or restart events in Granian supervisor logs without corresponding application-level exceptions
- Inbound HTTP requests containing Upgrade: websocket with Sec-WebSocket-Protocol header values containing bytes outside the ASCII printable range
- Spikes in 502/503 responses or dropped WebSocket handshakes coinciding with worker restarts
Detection Strategies
- Inspect reverse proxy and web application firewall (WAF) logs for WebSocket upgrade requests whose Sec-WebSocket-Protocol header fails ASCII validation
- Correlate Granian worker termination events with inbound request metadata to identify the originating client IP and request pattern
- Alert on abnormal worker restart rates relative to a baseline measured during normal operation
Monitoring Recommendations
- Export Granian process supervisor metrics, including worker restart counters, to a centralized observability platform
- Capture full HTTP request headers at the reverse proxy for WebSocket upgrade traffic to enable post-incident analysis
- Monitor availability of WebSocket endpoints with synthetic probes that flag elevated handshake failure rates
How to Mitigate CVE-2026-42544
Immediate Actions Required
- Upgrade Granian to version 2.7.4 or later on all hosts running affected versions
- Audit upstream proxy and WAF rules to reject WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header until the upgrade is complete
- Review logs for prior exploitation attempts and worker restart anomalies
Patch Information
The Granian maintainers fixed CVE-2026-42544 in version 2.7.4. The patch corrects the WebSocket scope construction path so that malformed Sec-WebSocket-Protocol header values produce a controlled HTTP error instead of aborting the worker. Refer to the GitHub Security Advisory GHSA-vrg7-482j-p6f6 for the full advisory.
Workarounds
- Place Granian behind a reverse proxy such as NGINX or HAProxy and reject WebSocket upgrade requests whose Sec-WebSocket-Protocol header contains non-ASCII bytes
- Disable WebSocket routes on internet-facing deployments where they are not required until the upgrade to 2.7.4 is complete
- Restrict WebSocket endpoint exposure to authenticated network segments where feasible
# Configuration example: upgrade Granian to the fixed version
pip install --upgrade 'granian>=2.7.4'
granian --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
