{"vulnerability": "CVE-2026-47706", "sightings": [{"uuid": "34797196-0ba6-4b3d-9615-f80953e7349a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47706", "type": "published-proof-of-concept", "source": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq", "content": "", "creation_timestamp": "2026-05-19T17:02:15.000000Z"}, {"uuid": "9ba5165f-70f1-4dea-b4fb-07544e30419e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47706", "type": "seen", "source": "https://gist.github.com/alon710/e01fe3eef2f4071e63ac4580c1c830af", "content": "# CVE-2026-47706: CVE-2026-47706: Application-Level Denial of Service via Uncontrolled Recursion in Strawberry GraphQL\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47706\n\n## Summary\nAn application-level Denial of Service vulnerability exists in the Strawberry GraphQL library (versions 0.71.0 through 0.315.6) due to uncontrolled recursion within the QueryDepthLimiter and MaxAliasesLimiter extensions when processing circular fragment references.\n\n## TL;DR\nA recursive fragment loop triggers a RecursionError in Python, crashing worker threads/processes and resulting in complete Denial of Service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-674 / CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept Available\n- **CISA KEV Status**: Not Listed\n- **Impact**: Availability (Denial of Service)\n\n## Affected Systems\n\n- Strawberry GraphQL\n- **strawberry-graphql**: >= 0.71.0, <= 0.315.6 (Fixed in: `0.315.7`)\n\n## Mitigation\n\n- Upgrade to strawberry-graphql version 0.315.7 or later\n- Temporarily disable QueryDepthLimiter and MaxAliasesLimiter\n- Validate incoming GraphQL queries at an API gateway layer\n\n**Remediation Steps:**\n1. Update the requirements.txt, poetry.lock, or Pipfile to specify strawberry-graphql>=0.315.7\n2. Run dependency installation tool (e.g., pip install --upgrade strawberry-graphql)\n3. Deploy updated container images to staging and production environments\n4. Verify validation rules reject circular fragments without throwing internal server errors\n\n## References\n\n- [GitHub Security Advisory GHSA-qfwv-87qj-98xq](https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq)\n- [Strawberry GraphQL Release v0.315.7](https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7)\n- [CVE-2026-47706 Record Database](https://www.cve.org/CVERecord?id=CVE-2026-47706)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47706) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T16:10:59.000000Z"}]}