Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
CVE-2026-47707

5.3MEDIUM

Key Information:

Vendor: Strawberry-graphql
Status: Strawberry
Vendor: CVE Published:; 4 June 2026

🔔 Create Strawberry-graphql Vulnerability Alert

What is CVE-2026-47707?

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.

Affected Version(s)

strawberry >= 0.172.0, < 0.315.7

References

https://github.com/strawberry-graphql/strawberry/security...

x_refsource_CONFIRM

https://github.com/strawberry-graphql/strawberry/releases...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47707 Data

JSON