What is the CVSS score of CVE-2026-47707?

CVE-2026-47707 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-47707?

Yes, a public proof-of-concept exploit is available for CVE-2026-47707. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for CVE-2026-47707?

Yes, a patch is available for CVE-2026-47707. Update the affected software to the latest version immediately.

Strawberry GraphQL CVE-2026-47707

EUVD-2026-34271 MEDIUM

Uncontrolled Resource Consumption (CWE-400)

2026-06-04 GitHub_M

GHSA-fr49-mhgj-crfc

Denial Of Service Strawberry

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch available

Jun 04, 2026 - 16:16 EUVD

Source Code Evidence Fetched

Jun 04, 2026 - 14:52 vuln.today

Analysis Generated

Jun 04, 2026 - 14:52 vuln.today

DescriptionGitHub Advisory

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue.

AnalysisAI

Denial-of-service via alias amplification in Strawberry GraphQL (versions 0.172.0 through 0.315.6) allows unauthenticated remote attackers to exhaust server resources by bypassing the MaxAliasesLimiter extension using crafted GraphQL fragment spreads. The limiter performs only a static AST alias count, missing the multiplicative expansion that occurs at execution time when a fragment containing N aliases is spread M times - producing N×M resolved aliases against a limit enforced at N+M. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify public GraphQL endpoint

Delivery

Craft query with high-alias fragment definition

Exploit

Spread fragment many times in single query

Install

Submit unauthenticated HTTP POST

MaxAliasesLimiter bypassed at static check

Execute

Server resolves amplified alias count

Impact

Resource exhaustion causes DoS

Recon

Identify public GraphQL endpoint

Delivery

Craft query with high-alias fragment definition

Exploit

Spread fragment many times in single query

Install

Submit unauthenticated HTTP POST

MaxAliasesLimiter bypassed at static check

Execute

Server resolves amplified alias count

Impact

Resource exhaustion causes DoS

Vulnerability AssessmentAI

Exploitation	The Strawberry GraphQL endpoint must have the MaxAliasesLimiter extension explicitly configured in the schema (e.g., extensions=[MaxAliasesLimiter(max_alias_count=N)]); deployments that never enabled this extension simply have no alias limit and are exposed to unconstrained alias abuse by a different path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L scores 5.3 (Medium), reflecting trivial network reachability with no authentication or user interaction required, but only partial availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends a single HTTP POST to a publicly exposed /graphql endpoint containing a crafted query that defines a fragment with 10 aliases and spreads it 100 times across different field aliases in the main query body. The MaxAliasesLimiter observes only the static fragment definition once and passes the query as within limits, while the execution engine resolves 1,000 aliases, far exceeding the intended cap and driving CPU and memory consumption on the server. …
Remediation	Upgrade to Strawberry GraphQL version 0.315.7, which expands fragment spreads when counting aliases and correctly enforces the configured alias limit at execution-time multiplicity. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47707 vulnerability details – vuln.today

Back

Strawberry GraphQL CVE-2026-47707

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Share

External POC / Exploit Code