CVE-2026-42545 Overview
CVE-2026-42545 affects Granian, a Rust-based HTTP server for Python applications maintained by the Emmett framework project. The vulnerability impacts versions 0.2.0 through 2.7.3. Granian aborts a worker process when a Web Server Gateway Interface (WSGI) application returns an invalid HTTP response header name or value. The WSGI response conversion path calls .unwrap() on both the header name and header value constructors. Malformed application output triggers a process abort instead of a handled error, classified under [CWE-248] Uncaught Exception. The issue is fixed in version 2.7.4.
Critical Impact
A misbehaving or attacker-influenced WSGI application can crash Granian worker processes, causing denial of service against Python web applications.
Affected Products
- Granian HTTP server versions 0.2.0 through 2.7.3
- Python WSGI applications deployed behind Granian
- Emmett framework deployments using vulnerable Granian releases
Discovery Timeline
- 2026-05-12 - CVE-2026-42545 published to the National Vulnerability Database
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42545
Vulnerability Analysis
Granian bridges Rust HTTP handling with Python WSGI applications. When a WSGI application returns response headers, Granian converts the Python header tuples into Rust HTTP header structures. The conversion path constructs HeaderName and HeaderValue objects from the application output. Both constructors return Result types because header names and values must conform to RFC 7230 grammar.
The vulnerable code calls .unwrap() on these Result values. When the WSGI application emits a header name containing illegal characters, or a header value containing control characters or other disallowed bytes, the constructor returns an Err. The .unwrap() call then panics. Because the panic is not caught, the worker process aborts.
The attack complexity is high because the attacker must influence application output rather than the wire protocol directly. However, repeated triggering exhausts worker capacity and produces sustained denial of service.
Root Cause
The root cause is improper error handling [CWE-248] in the WSGI response conversion layer. Fallible Rust operations were unwrapped instead of propagated as HTTP 500 responses or logged errors. Untrusted input from the Python application crosses a safety boundary without validation.
Attack Vector
An attacker who can influence headers emitted by the WSGI application can trigger the abort. This includes scenarios where user-controlled data is reflected into response headers such as Set-Cookie, Location, or custom headers without sanitization. Each malformed response terminates the serving worker, degrading availability.
No verified public exploit is available. Refer to the GitHub Security Advisory GHSA-f5p7-9fr5-8jmj for technical details.
Detection Methods for CVE-2026-42545
Indicators of Compromise
- Unexpected worker process termination entries in Granian logs referencing panics in header conversion
- Repeated HTTP 502 or connection reset responses returned to clients during normal traffic
- Process supervisor restart events for Granian workers at abnormal frequency
Detection Strategies
- Audit WSGI application code paths that place untrusted user input into response headers without validation
- Review Granian version strings across deployed environments and flag releases earlier than 2.7.4
- Correlate worker restart counts with inbound request patterns to identify targeted abort attempts
Monitoring Recommendations
- Track worker abort rate and process restart frequency as a service health metric
- Alert on Rust panic signatures in stderr output from Granian processes
- Monitor 5xx error rates and downstream timeouts that coincide with worker crashes
How to Mitigate CVE-2026-42545
Immediate Actions Required
- Upgrade Granian to version 2.7.4 or later across all production and staging deployments
- Audit WSGI applications for code that copies untrusted input directly into HTTP response headers
- Add input validation to reject control characters and non-ASCII bytes before assigning header values
Patch Information
The maintainers fixed the issue in Granian 2.7.4 by replacing .unwrap() calls in the WSGI response conversion path with proper error handling. Operators should pin dependency versions to granian>=2.7.4 in requirements.txt, pyproject.toml, or equivalent dependency manifests. See the GitHub Security Advisory for complete fix details.
Workarounds
- Place a reverse proxy in front of Granian that strips or validates response headers before forwarding to clients
- Wrap WSGI applications with middleware that sanitizes header names and values against RFC 7230 grammar
- Configure process supervisors to rate-limit worker restarts and alert when thresholds are exceeded
# Upgrade Granian to the patched release
pip install --upgrade 'granian>=2.7.4'
# Verify installed version
python -c "import granian; print(granian.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
