Application-level DOS Vulnerability in Strawberry GraphQL Library
CVE-2026-47706

5.3MEDIUM

Key Information:

Vendor: Strawberry-graphql
Status: Strawberry
Vendor: CVE Published:; 4 June 2026

🔔 Create Strawberry-graphql Vulnerability Alert

What is CVE-2026-47706?

The Strawberry GraphQL library, used for building GraphQL APIs, is vulnerable to an Application-level Denial of Service (DoS) due to inadequate cycle detection in its QueryDepthLimiter extension. Specifically, versions 0.71.0 through 0.315.6 can be exploited when a query contains circular fragment references, which causes the determine_depth function to enter an infinite recursion. This leads to a RecursionError that crashes the validation process, potentially rendering applications using the library inoperable. Users are encouraged to upgrade to version 0.315.7 or later, where this issue has been patched.

Affected Version(s)

strawberry >= 0.71.0, < 0.315.7

References

https://github.com/strawberry-graphql/strawberry/security...

x_refsource_CONFIRM

https://github.com/strawberry-graphql/strawberry/releases...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47706 Data

JSON