CVE-2026-45739

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions 0.288.4 through 0.315.3

Description The bundled GraphiQL template in Strawberry GraphQL writes values from the headers editor into the browser URL query string. This occurs because the strawberry/static/graphiql.html template uses the updateURL() function within onEditHeaders() to serialize arbitrary header text into the headers parameter of the URL. Consequently, sensitive information, such as Authorization tokens, can be exposed in browser history, copied links, and server, proxy, or CDN access logs after a page reload or when a request is shared. This exposure is limited to the browser-based IDE and does not affect GraphQL query execution or allow direct authorization bypass.

Recommendations Update to version 0.315.4. As a temporary workaround, disable the bundled IDE in production by setting graphql ide=None in the GraphQLRouter or other HTTP integrations. Alternatively, provide a custom GraphiQL template that does not serialize header values into the URL.