Denial of Service Vulnerability in Daphne WebSocket Server
CVE-2026-44545

5.3MEDIUM

Key Information:

Vendor: Djangoproject
Status: Daphne
Vendor: CVE Published:; 3 June 2026

🔔 Create Djangoproject Vulnerability Alert

What is CVE-2026-44545?

Daphne before version 4.2.2 is susceptible to a vulnerability that fails to enforce limits on WebSocket message size. The default settings in Autobahn's WebSocketServerFactory permit arbitrarily large messages due to both maxFramePayloadSize and maxMessagePayloadSize being set to 0. This can be exploited by an unauthenticated remote attacker, leading to excessive memory usage and resulting in a denial of service condition for the affected server.

Affected Version(s)

daphne 4.2.0 <= 4.2.1

daphne 4.2.2

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt

release-notes

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 6, 2026

Credit

ParkHyunWoo

Carlton Gibson

CVE-2026-44545 Data

JSON