Skip to main content

Django Daphne CVE-2026-44545

| EUVDEUVD-2026-34091 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-03 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-rrc9-mx66-ffcm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable WebSocket endpoint, no auth or interaction, trivial oversized-frame trigger; impact is pure availability via memory exhaustion with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 15, 2026 - 20:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 20:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 20:07 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 20:07 NVD
MEDIUM HIGH
CVSS changed
Jun 15, 2026 - 20:07 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 03, 2026 - 14:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 93 pypi packages depend on daphne (45 direct, 50 indirect)

Ecosystem-wide dependent count for version 4.2.2.

DescriptionNVD

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

AnalysisAI

Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.

Technical ContextAI

Daphne is the official ASGI HTTP/WebSocket/HTTP2 server maintained by the Django project, commonly used to serve Django Channels applications. It delegates WebSocket protocol handling to Autobahn|Python's WebSocketServerFactory, which accepts maxFramePayloadSize and maxMessagePayloadSize parameters to bound per-frame and per-message buffer growth. Daphne did not pass these parameters through, so Autobahn fell back to its documented default of 0 (unlimited). This maps cleanly to CWE-770 (Allocation of Resources Without Limits or Throttling): the WebSocket read path accepts attacker-controlled payload sizes without an upper bound, allowing memory to grow until the process or host is starved. The CPE cpe:2.3:a:djangoproject:daphne:*:*:*:*:*:*:*:* confirms the affected product is the upstream djangoproject/daphne package.

RemediationAI

Upgrade to Daphne 4.2.2 or later, which passes maxFramePayloadSize and maxMessagePayloadSize through to Autobahn's WebSocketServerFactory; consult https://github.com/django/daphne/blob/main/CHANGELOG.txt for the release notes and https://nvd.nist.gov/vuln/detail/CVE-2026-44545 for the advisory. If immediate upgrade is not possible, place Daphne behind a reverse proxy (nginx, HAProxy, Envoy, or a CDN/WAF) configured to enforce a maximum WebSocket frame and message size - note this protects the Daphne process but may break legitimate clients that send large messages such as binary file uploads or media streams. As a secondary control, apply per-IP connection and bandwidth rate limits at the proxy or firewall to slow memory exhaustion attempts, and monitor Daphne worker RSS with alerting so an attack triggers restart/scale-out before the host OOMs.

Share

CVE-2026-44545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy