CVE-2026-35526

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions prior to 0.312.3

Description Strawberry GraphQL WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without limiting the number of active subscriptions per connection. An unauthenticated attacker can open a WebSocket connection, send a connection init message, and flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, leading to linear memory growth and event loop saturation, potentially causing server degradation or an out-of-memory (OOM) crash.

Recommendations Update to Strawberry GraphQL version 0.312.3 or later.