What is the CVSS score of CVE-2026-47706?

CVE-2026-47706 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-47706?

Yes, a public proof-of-concept exploit is available for CVE-2026-47706. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-47706?

Yes, a patch is available for CVE-2026-47706. Update the affected software to the latest version immediately.

Strawberry GraphQL CVE-2026-47706

EUVD-2026-34269 MEDIUM

Uncontrolled Resource Consumption (CWE-400)

2026-06-04 GitHub_M

GHSA-qfwv-87qj-98xq

Denial Of Service Strawberry

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch available

Jun 04, 2026 - 16:16 EUVD

Source Code Evidence Fetched

Jun 04, 2026 - 14:53 vuln.today

Analysis Generated

Jun 04, 2026 - 14:53 vuln.today

DescriptionGitHub Advisory

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue.

AnalysisAI

Infinite recursion in Strawberry GraphQL's QueryDepthLimiter extension allows unauthenticated remote attackers to crash the validation process and exhaust server resources by submitting queries with circular fragment references. Affected versions 0.71.0 through 0.315.6 of the pip package strawberry-graphql fail to track visited fragments in the determine_depth function, meaning a trivially crafted two-fragment cycle (A spreads B, B spreads A) triggers a Python RecursionError before any query execution occurs. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify reachable GraphQL HTTP endpoint

Delivery

Craft query with two mutually spreading fragments

Exploit

POST payload unauthenticated

Execution

QueryDepthLimiter triggers infinite recursion in determine_depth

Persist

Python RecursionError crashes validation worker

Impact

Service unavailable to legitimate users

Access

Identify reachable GraphQL HTTP endpoint

Delivery

Craft query with two mutually spreading fragments

Exploit

POST payload unauthenticated

Execution

QueryDepthLimiter triggers infinite recursion in determine_depth

Persist

Python RecursionError crashes validation worker

Impact

Service unavailable to legitimate users

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target Strawberry GraphQL application to have explicitly configured the QueryDepthLimiter extension in its schema definition (e.g., extensions=[QueryDepthLimiter(max_depth=N)]). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 5.3 Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L accurately reflects the attack profile - network-reachable, no authentication, no user interaction - but the Availability:Low rating understates operational impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends a single HTTP POST to the target's /graphql endpoint containing a query that defines two fragments mutually referencing each other - Fragment A spreading Fragment B and Fragment B spreading Fragment A - then invokes one of them in the operation body. The QueryDepthLimiter validation phase immediately enters infinite recursion, raises a Python RecursionError, and crashes the request handler. …
Remediation	Upgrade strawberry-graphql to version 0.315.7 or later, which introduces visited-fragment tracking in determine_depth to break circular reference cycles; this release also simultaneously fixes the related MaxAliasesLimiter alias-counting flaw (GHSA-fr49-mhgj-crfc). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47706 vulnerability details – vuln.today

Back

Strawberry GraphQL CVE-2026-47706

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Share

External POC / Exploit Code