## Strawberry GraphQL WebSocket Authentication Bypass Exposed in CVE-2026-35523
A critical security flaw in the Strawberry GraphQL framework allows attackers to bypass authentication on WebSocket subscription endpoints. The vulnerability, tracked as CVE-2026-35523, is present in all versions up to 0.312.2. The core failure lies in the legacy `graphql-ws` subprotocol handler, which processes subscription start messages without first verifying that a secure `connection_init` handshake has been successfully completed. This oversight creates a direct path for unauthorized access to protected GraphQL subscriptions.

The issue was patched in the immediate release of Strawberry GraphQL version 0.312.3. The update, flagged as a security priority in dependency management tools like RenovateBot, represents a mandatory patch for any project using the library's WebSocket functionality. The vulnerability advisory (GHSA-vpwc-v33q-mq89) confirms the authentication bypass risk, making this a high-severity fix for backend systems relying on real-time data streams.

This flaw places any application using vulnerable versions of the Strawberry library at immediate risk of data exfiltration and unauthorized operations via its subscription channels. Developers and security teams must treat this as a pressing operational update. The narrow patch window—from version 0.312.2 to 0.312.3—signals the urgency, but also means the exposure was recent and potentially widespread among projects that have not enabled automated security updates.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-35523, GraphQL, WebSocket, Authentication Bypass, Python Security
- **Credibility**: unverified
- **Published**: 2026-04-07 12:27:27
- **ID**: 53123
- **URL**: https://whisperx.ai/en/intel/53123