PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45739 strawberry-graphql CVE debrief

CVE-2026-45739 is a low-severity vulnerability in Strawberry GraphQL, a library for creating GraphQL APIs. The issue, patched in version 0.315.4, involves the bundled GraphiQL template writing values from the GraphiQL headers editor into the browser URL query string. This could potentially expose sensitive headers, such as authentication tokens, in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request.

Vendor
strawberry-graphql
Product
strawberry
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Developers and administrators using Strawberry GraphQL versions between 0.288.4 and 0.315.3 should be aware of this vulnerability and take action to protect their applications.

Technical summary

The vulnerability exists in the GraphiQL template bundled with Strawberry GraphQL. When users enter sensitive headers in the GraphiQL headers editor, these values are written into the browser URL query string. This can lead to sensitive information exposure in various browser and server logs.

Defensive priority

Low

Recommended defensive actions

  • Upgrade to Strawberry GraphQL version 0.315.4 or later.
  • Review and clean up browser and server logs to remove any sensitive information that may have been exposed.
  • Educate developers and users about the importance of handling sensitive information in GraphQL APIs.

Evidence notes

The CVE-2026-45739 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-45739) and has a CVSS score of 3.1. The vulnerability was patched in [ref-4](https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9).

Official resources

CVE-2026-45739 was published on 2026-06-04T15:16:54.457Z and modified on 2026-06-05T18:43:20.977Z.