CVE-2026-44545 Overview
CVE-2026-44545 affects Daphne, the ASGI HTTP/WebSocket server maintained under the Django project. Versions before 4.2.2 fail to pass maxFramePayloadSize and maxMessagePayloadSize parameters to Autobahn's WebSocketServerFactory. Autobahn defaults both values to 0 (unlimited), so the server accepts WebSocket frames and messages of arbitrary size. An unauthenticated remote attacker can transmit oversized payloads to exhaust server memory and cause denial of service. The flaw is classified under [CWE-770: Allocation of Resources Without Limits or Throttling].
Critical Impact
Unauthenticated remote attackers can trigger memory exhaustion on Daphne servers by sending arbitrarily large WebSocket frames, resulting in denial of service.
Affected Products
- Daphne versions prior to 4.2.2
- Django applications deploying Daphne as their ASGI server
- WebSocket endpoints served by vulnerable Daphne instances
Discovery Timeline
- 2026-06-03 - CVE-2026-44545 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-44545
Vulnerability Analysis
Daphne is the reference ASGI server for Django Channels and handles HTTP and WebSocket traffic for Django applications. The server delegates WebSocket protocol handling to Autobahn, a Python library that implements the WebSocket RFC 6455 specification. Autobahn exposes maxFramePayloadSize and maxMessagePayloadSize parameters on its WebSocketServerFactory to bound the memory required for any single frame or assembled message.
Daphne versions before 4.2.2 instantiate WebSocketServerFactory without forwarding these limits. Autobahn treats the missing parameters as 0, which it interprets as unlimited. The server then accepts any payload size offered by a client. Memory required to buffer the incoming data scales directly with attacker input.
Root Cause
The root cause is a missing configuration parameter in Daphne's WebSocket factory initialization. Daphne never propagates the framework-level size limits to the underlying protocol implementation. This is a resource allocation failure consistent with [CWE-770], where the application allocates buffers for client-controlled data without applying an upper bound.
Attack Vector
An attacker establishes a WebSocket connection to any Daphne endpoint that accepts WebSocket upgrades. Authentication is not required because the limit applies at the protocol layer, before any application-level handler runs. The attacker then sends one or more large frames, or a fragmented message whose reassembled size grows unbounded. Daphne buffers each frame in memory until the process consumes available RAM, at which point the worker is terminated or the host becomes unresponsive.
The vulnerability manifests during WebSocket factory construction in Daphne's server module. See the GitHub Daphne Changelog for the upstream fix that introduces the missing parameters.
Detection Methods for CVE-2026-44545
Indicators of Compromise
- Daphne worker processes exhibiting sudden, rapid memory growth followed by OOM termination
- WebSocket connections from a single source transmitting frames larger than the application's expected message size
- Repeated WebSocket upgrade requests followed by abnormally long-lived connections sending continuous binary data
Detection Strategies
- Inspect Daphne process memory metrics for anomalous growth rates correlated with active WebSocket sessions
- Log WebSocket frame sizes at the reverse proxy or load balancer and alert on frames exceeding application-defined thresholds
- Monitor for OOMKilled events in container orchestration platforms running Daphne workloads
Monitoring Recommendations
- Enable per-connection traffic accounting on upstream proxies such as NGINX or Envoy to cap WebSocket payload sizes before they reach Daphne
- Track the Daphne version deployed across services and flag any instance running a release prior to 4.2.2
- Correlate WebSocket connection metadata with memory pressure alerts in your observability platform
How to Mitigate CVE-2026-44545
Immediate Actions Required
- Upgrade Daphne to version 4.2.2 or later across all environments running ASGI workloads
- Inventory Django Channels deployments to confirm the Daphne version in use
- Place a reverse proxy in front of Daphne to enforce WebSocket frame and message size limits at the network edge
Patch Information
The fix landed in Daphne 4.2.2. The maintainers now pass maxFramePayloadSize and maxMessagePayloadSize to Autobahn's WebSocketServerFactory, restoring bounded memory allocation. Review the GitHub Daphne Changelog for the release notes and confirm the upgrade path for your dependency manager.
Workarounds
- Terminate WebSocket traffic at a reverse proxy that enforces maximum frame and message sizes, such as NGINX with client_max_body_size for the upgrade request and connection-level limits
- Apply per-IP connection and rate limits at the load balancer to constrain the volume of traffic any single client can deliver
- Restrict WebSocket endpoints to authenticated users where the application architecture allows, reducing exposure to unauthenticated attackers
# Configuration example
pip install --upgrade 'daphne>=4.2.2'
python -c "import daphne; print(daphne.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
