{"vulnerability": "cve-2026-4770", "sightings": [{"uuid": "004bf0d1-f944-46da-8aeb-d5c9b528646d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47707", "type": "seen", "source": "https://gist.github.com/alon710/010787d34dde83f4031b6f6c155ccffb", "content": "# CVE-2026-47707: CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter\n\n&gt; **CVSS Score:** 5.3\n&gt; **Published:** 2026-06-04\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-47707\n\n## Summary\nA security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.\n\n## TL;DR\nThe MaxAliasesLimiter extension in strawberry-graphql fails to account for fragment spreads during pre-execution static analysis. Attackers can bypass alias thresholds and trigger thousands of actual backend executions, leading to denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400 (Uncontrolled Resource Consumption)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.3 (Medium)\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n- **Primary Impact**: Availability (Application-level Denial of Service)\n\n## Affected Systems\n\n- strawberry-graphql\n- **strawberry-graphql**: &gt;= 0.172.0, &lt; 0.315.7 (Fixed in: `0.315.7`)\n\n## Mitigation\n\n- Upgrade strawberry-graphql to version 0.315.7 or higher.\n- Disable the MaxAliasesLimiter extension in configuration files if immediate patching is not possible.\n- Deploy a Web Application Firewall (WAF) or validation layer to analyze incoming queries for redundant or highly nested fragment distributions.\n\n**Remediation Steps:**\n1. Identify all internal services employing strawberry-graphql in Python dependencies.\n2. Execute pip install --upgrade \"strawberry-graphql&gt;=0.315.7\" or update your pyproject.toml / requirements.txt declarations.\n3. Verify that the GraphQL router initializes the MaxAliasesLimiter with safe max_alias_count configurations.\n4. Run regression testing to confirm that legitimate client operations using fragments continue to work as expected.\n\n## References\n\n- [GHSA-fr49-mhgj-crfc Advisory](https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc)\n- [Strawberry GraphQL Version 0.315.7 Release Notes](https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7)\n- [CVE-2026-47707 CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-47707)\n- [Patch Commit a69221f](https://github.com/strawberry-graphql/strawberry/commit/a69221fb0b86583ceb5755758b294c8319021fd1)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47707) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T15:20:57.000000Z"}, {"uuid": "9ba5165f-70f1-4dea-b4fb-07544e30419e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47706", "type": "seen", "source": "https://gist.github.com/alon710/e01fe3eef2f4071e63ac4580c1c830af", "content": "# CVE-2026-47706: CVE-2026-47706: Application-Level Denial of Service via Uncontrolled Recursion in Strawberry GraphQL\n\n&gt; **CVSS Score:** 5.3\n&gt; **Published:** 2026-06-04\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-47706\n\n## Summary\nAn application-level Denial of Service vulnerability exists in the Strawberry GraphQL library (versions 0.71.0 through 0.315.6) due to uncontrolled recursion within the QueryDepthLimiter and MaxAliasesLimiter extensions when processing circular fragment references.\n\n## TL;DR\nA recursive fragment loop triggers a RecursionError in Python, crashing worker threads/processes and resulting in complete Denial of Service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-674 / CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: Proof of Concept Available\n- **CISA KEV Status**: Not Listed\n- **Impact**: Availability (Denial of Service)\n\n## Affected Systems\n\n- Strawberry GraphQL\n- **strawberry-graphql**: &gt;= 0.71.0, &lt;= 0.315.6 (Fixed in: `0.315.7`)\n\n## Mitigation\n\n- Upgrade to strawberry-graphql version 0.315.7 or later\n- Temporarily disable QueryDepthLimiter and MaxAliasesLimiter\n- Validate incoming GraphQL queries at an API gateway layer\n\n**Remediation Steps:**\n1. Update the requirements.txt, poetry.lock, or Pipfile to specify strawberry-graphql&gt;=0.315.7\n2. Run dependency installation tool (e.g., pip install --upgrade strawberry-graphql)\n3. Deploy updated container images to staging and production environments\n4. Verify validation rules reject circular fragments without throwing internal server errors\n\n## References\n\n- [GitHub Security Advisory GHSA-qfwv-87qj-98xq](https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq)\n- [Strawberry GraphQL Release v0.315.7](https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7)\n- [CVE-2026-47706 Record Database](https://www.cve.org/CVERecord?id=CVE-2026-47706)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47706) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T16:10:59.000000Z"}, {"uuid": "8d3ef115-8d8f-4b13-8d49-d20387cee5b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47707", "type": "published-proof-of-concept", "source": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc", "content": "", "creation_timestamp": "2026-05-19T17:02:32.000000Z"}, {"uuid": "34797196-0ba6-4b3d-9615-f80953e7349a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47706", "type": "published-proof-of-concept", "source": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq", "content": "", "creation_timestamp": "2026-05-19T17:02:15.000000Z"}, {"uuid": "cc2d6a40-35fd-4bdc-8cec-c90c2b04234e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-47708", "type": "published-proof-of-concept", "source": "https://github.com/SepineTam/mcp-for-stata/security/advisories/GHSA-4p62-hqp5-g644", "content": "", "creation_timestamp": "2026-05-19T16:51:59.000000Z"}, {"uuid": "0bf7d5a9-83f7-46f0-bebe-5aee153314e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4770", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mppo3dv4ct2o", "content": "CVE-2026-4770: \u0423\u0433\u0440\u043e\u0437\u0430 XSS-\u0430\u0442\u0430\u043a \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439\n\n\n\nhttps://kripta.biz/posts/A5D3D9CB-37A4-4A56-9A4C-73DDDE088355", "creation_timestamp": "2026-07-03T04:03:42.405351Z"}]}