CVE-2026-35523

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions through 0.312.3

Description Strawberry GraphQL is susceptible to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify completion of a connection init handshake before processing start (subscription) messages. This allows an attacker to bypass the on ws connect authentication hook by connecting with the graphql-ws subprotocol and sending a start message directly, without a connection init message. The graphql-transport-ws subprotocol handler is not affected. Applications relying on on ws connect for authentication or authorization are affected.

Recommendations Upgrade to version 0.312.3 or later. Alternatively, disable the legacy graphql-ws subprotocol by setting subscription protocols=[GRAPHQL TRANSPORT WS PROTOCOL] on your GraphQL view/router.