CVE-2026-35523

Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol

Description

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.

INFO

Published Date :

2026-04-07T15:58:17.694Z

Last Modified :

2026-04-07T15:58:17.694Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35523 vulnerability.

Vendors	Products
Strawberry	Strawberry

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35523.

URL	Resource
https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact