PatchSiren cyber security CVE debrief
CVE-2026-47706 strawberry-graphql CVE debrief
CVE-2026-47706 is a medium-severity vulnerability in Strawberry GraphQL, a library for creating GraphQL APIs. The vulnerability affects versions 0.71.0 through 0.315.6 and is caused by a lack of cycle detection in fragment spreads, leading to an application-level denial of service (DOS). When a query contains circular fragment references, the `determine_depth` function enters an infinite recursion, resulting in a RecursionError and crashing the validation process. The vulnerability has a CVSS score of 5.3 and is classified as CWE-400 and CWE-674.
- Vendor
- strawberry-graphql
- Product
- strawberry
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Strawberry GraphQL versions 0.71.0 through 0.315.6 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The QueryDepthLimiter extension in Strawberry GraphQL is vulnerable to an application-level DOS due to a lack of cycle detection in fragment spreads. This can be exploited by sending a query with circular fragment references, causing the `determine_depth` function to enter an infinite recursion.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to version 0.315.7 or later
- Review and update affected systems and dependencies
Evidence notes
The vulnerability is patched in version 0.315.7. Users can refer to the vendor advisory and release notes for more information.
Official resources
-
CVE-2026-47706 CVE record
CVE.org
-
CVE-2026-47706 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-47706 was published on 2026-06-04T15:16:54.763Z and modified on 2026-06-05T17:37:58.920Z.