Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
CVE-2026-44545

5.3MEDIUM

Key Information:

Vendor: Djangoproject
Status: Daphne
Vendor: CVE Published:; 3 June 2026

🔔 Create Djangoproject Vulnerability Alert

What is CVE-2026-44545?

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Affected Version(s)

daphne 4.2.0 <= 4.2.1

daphne 4.2.2

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt

release-notes

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 6, 2026

Credit

ParkHyunWoo

Carlton Gibson

CVE-2026-44545 Data

JSON