Strawberry GraphQL has a Circular Fragment Reference DOS
CVE-2026-47706

5.3MEDIUM

Key Information:

Vendor: Strawberry-graphql
Status: Strawberry
Vendor: CVE Published:; 4 June 2026

🔔 Create Strawberry-graphql Vulnerability Alert

What is CVE-2026-47706?

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.

Affected Version(s)

strawberry >= 0.71.0, < 0.315.7

References

https://github.com/strawberry-graphql/strawberry/security...

x_refsource_CONFIRM

https://github.com/strawberry-graphql/strawberry/releases...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47706 Data

JSON