Resource Exhaustion Vulnerability in Strawberry GraphQL Library
CVE-2026-47707

5.3MEDIUM

Key Information:

Vendor: Strawberry-graphql
Status: Strawberry
Vendor: CVE Published:; 4 June 2026

🔔 Create Strawberry-graphql Vulnerability Alert

What is CVE-2026-47707?

The Strawberry GraphQL library, specifically versions 0.172.0 through 0.315.6, contains a vulnerability in the MaxAliasesLimiter extension. This flaw arises from the inadequate accounting of FragmentSpreadNode, allowing attackers to exploit alias limits. The library's failure to consider the multiplicative effect of fragment expansion may enable an attacker to overwhelm the server by forcing it to resolve a higher number of aliases than permitted. This can lead to a significant strain on resources, potentially resulting in denial-of-service conditions. A corrective update is available in version 0.315.7.

Affected Version(s)

strawberry >= 0.172.0, < 0.315.7

References

https://github.com/strawberry-graphql/strawberry/security...

x_refsource_CONFIRM

https://github.com/strawberry-graphql/strawberry/releases...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47707 Data

JSON