Vulnerability-Lookup

CVE-2026-45739 (GCVE-0-2026-45739)

Vulnerability from cvelistv5 – Published: 2026-06-04 14:09 – Updated: 2026-06-04 14:36

Title

Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs

Summary

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/strawberry-graphql/strawberry/…	x_refsource_CONFIRM
https://github.com/strawberry-graphql/strawberry/…	x_refsource_MISC
https://github.com/strawberry-graphql/strawberry/…	x_refsource_MISC
https://github.com/strawberry-graphql/strawberry/…	x_refsource_MISC
https://github.com/strawberry-graphql/strawberry/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
strawberry-graphql	strawberry	Affected: >= 0.288.4, < 0.315.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45739",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T14:35:44.208038Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T14:36:06.010Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "strawberry",
          "vendor": "strawberry-graphql",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.288.4, \u003c 0.315.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry\u0027s bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer \u003ctoken\u003e`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T14:09:03.394Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj"
        },
        {
          "name": "https://github.com/strawberry-graphql/strawberry/issues/4398",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strawberry-graphql/strawberry/issues/4398"
        },
        {
          "name": "https://github.com/strawberry-graphql/strawberry/pull/2842",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strawberry-graphql/strawberry/pull/2842"
        },
        {
          "name": "https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9"
        },
        {
          "name": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4"
        }
      ],
      "source": {
        "advisory": "GHSA-x97m-qp5c-w9xj",
        "discovery": "UNKNOWN"
      },
      "title": "Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45739",
    "datePublished": "2026-06-04T14:09:03.394Z",
    "dateReserved": "2026-05-13T06:54:34.219Z",
    "dateUpdated": "2026-06-04T14:36:06.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45739\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-04T15:16:54.457\",\"lastModified\":\"2026-06-04T15:35:18.623\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry\u0027s bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer \u003ctoken\u003e`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-201\"}]}],\"references\":[{\"url\":\"https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/strawberry-graphql/strawberry/issues/4398\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/strawberry-graphql/strawberry/pull/2842\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45739\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-04T14:35:44.208038Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-04T14:35:53.011Z\"}}], \"cna\": {\"title\": \"Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs\", \"source\": {\"advisory\": \"GHSA-x97m-qp5c-w9xj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"strawberry-graphql\", \"product\": \"strawberry\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.288.4, \u003c 0.315.4\"}]}], \"references\": [{\"url\": \"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj\", \"name\": \"https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/strawberry-graphql/strawberry/issues/4398\", \"name\": \"https://github.com/strawberry-graphql/strawberry/issues/4398\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/strawberry-graphql/strawberry/pull/2842\", \"name\": \"https://github.com/strawberry-graphql/strawberry/pull/2842\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9\", \"name\": \"https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4\", \"name\": \"https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry\u0027s bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer \u003ctoken\u003e`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-201\", \"description\": \"CWE-201: Insertion of Sensitive Information Into Sent Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-04T14:09:03.394Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45739\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T14:36:06.010Z\", \"dateReserved\": \"2026-05-13T06:54:34.219Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-04T14:09:03.394Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45739

Vulnerability from fkie_nvd - Published: 2026-06-04 15:16 - Updated: 2026-06-04 15:35

Severity

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9
	security-advisories@github.com	https://github.com/strawberry-graphql/strawberry/issues/4398
	security-advisories@github.com	https://github.com/strawberry-graphql/strawberry/pull/2842
	security-advisories@github.com	https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4
	security-advisories@github.com	https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry\u0027s bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer \u003ctoken\u003e`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue."
    }
  ],
  "id": "CVE-2026-45739",
  "lastModified": "2026-06-04T15:35:18.623",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-04T15:16:54.457",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/strawberry-graphql/strawberry/issues/4398"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/strawberry-graphql/strawberry/pull/2842"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-201"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-X97M-QP5C-W9XJ

Vulnerability from github – Published: 2026-05-19 15:55 – Updated: 2026-05-19 15:55

Summary

Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs

Details

Summary

Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer <token>, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request.

Affected Versions

Affected: strawberry-graphql >= 0.288.4, <= 0.315.3
Patched: 0.315.4

The vulnerable behavior was introduced by the GraphiQL URL-sharing implementation in commit 9315ef80, first included in release 0.288.4.

Impact

Applications that expose Strawberry's default GraphiQL IDE may leak sensitive HTTP header values entered by users into the GraphiQL headers editor. The default IDE is enabled by graphql_ide="graphiql" across Strawberry HTTP integrations unless disabled or replaced by the application.

The exposure is limited to the browser-based IDE. GraphQL query execution is not affected, and this issue does not allow an attacker to directly execute operations or bypass authorization. Practical exploitation requires a user to enter a secret into the GraphiQL headers editor and then expose the resulting URL, for example by refreshing the page, copying the URL, sharing the URL, or causing the URL to be recorded by logging infrastructure.

Technical Details

The bundled strawberry/static/graphiql.html template parsed URL query parameters into a parameters object and used those values to initialize GraphiQL state. It also updated the URL on editor changes using history.replaceState.

Before the fix, header values were handled like shareable query text and variables:

const [headers, setHeaders] = React.useState(parameters.headers);

function onEditHeaders(newHeaders) {
  setHeaders(newHeaders);
  updateURL({ headers: newHeaders });
}

This meant arbitrary header text entered into the IDE could be serialized into ?headers=....

Fix

The GraphiQL template no longer calls updateURL from onEditHeaders. Query and variable URL sharing remain unchanged, and existing URLs with headers=... can still initialize the headers editor. Header persistence via GraphiQL's own shouldPersistHeaders: true behavior remains enabled, so newly edited headers can still persist locally without being placed in the URL.

Workarounds

Until a patched version can be used, applications can mitigate this issue by disabling the bundled IDE in production:

GraphQLRouter(schema, graphql_ide=None)

Equivalent graphql_ide=None configuration is available in Strawberry's other HTTP integrations.

Applications can also provide a custom GraphiQL template that does not serialize header values into the URL.

Credits

Reported by @lpschroer.

Severity

3.1 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.315.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "strawberry-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.288.4"
            },
            {
              "fixed": "0.315.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:55:07Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\nStrawberry\u0027s bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer \u003ctoken\u003e`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request.\n\n## Affected Versions\n\n- Affected: `strawberry-graphql \u003e= 0.288.4, \u003c= 0.315.3`\n- Patched: 0.315.4\n\nThe vulnerable behavior was introduced by the GraphiQL URL-sharing implementation in commit `9315ef80`, first included in release `0.288.4`.\n\n## Impact\n\nApplications that expose Strawberry\u0027s default GraphiQL IDE may leak sensitive HTTP header values entered by users into the GraphiQL headers editor. The default IDE is enabled by `graphql_ide=\"graphiql\"` across Strawberry HTTP integrations unless disabled or replaced by the application.\n\nThe exposure is limited to the browser-based IDE. GraphQL query execution is not affected, and this issue does not allow an attacker to directly execute operations or bypass authorization. Practical exploitation requires a user to enter a secret into the GraphiQL headers editor and then expose the resulting URL, for example by refreshing the page, copying the URL, sharing the URL, or causing the URL to be recorded by logging infrastructure.\n\n## Technical Details\n\nThe bundled `strawberry/static/graphiql.html` template parsed URL query parameters into a `parameters` object and used those values to initialize GraphiQL state. It also updated the URL on editor changes using `history.replaceState`.\n\nBefore the fix, header values were handled like shareable query text and variables:\n\n```js\nconst [headers, setHeaders] = React.useState(parameters.headers);\n\nfunction onEditHeaders(newHeaders) {\n  setHeaders(newHeaders);\n  updateURL({ headers: newHeaders });\n}\n```\n\nThis meant arbitrary header text entered into the IDE could be serialized into `?headers=...`.\n\n## Fix\n\nThe GraphiQL template no longer calls `updateURL` from `onEditHeaders`. Query and variable URL sharing remain unchanged, and existing URLs with `headers=...` can still initialize the headers editor. Header persistence via GraphiQL\u0027s own `shouldPersistHeaders: true` behavior remains enabled, so newly edited headers can still persist locally without being placed in the URL.\n\n## Workarounds\n\nUntil a patched version can be used, applications can mitigate this issue by disabling the bundled IDE in production:\n\n```python\nGraphQLRouter(schema, graphql_ide=None)\n```\n\nEquivalent `graphql_ide=None` configuration is available in Strawberry\u0027s other HTTP integrations.\n\nApplications can also provide a custom GraphiQL template that does not serialize header values into the URL.\n\n## Credits\n\nReported by `@lpschroer`.",
  "id": "GHSA-x97m-qp5c-w9xj",
  "modified": "2026-05-19T15:55:07Z",
  "published": "2026-05-19T15:55:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/issues/4398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/pull/2842"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strawberry-graphql/strawberry"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45739 (GCVE-0-2026-45739)

FKIE_CVE-2026-45739

GHSA-X97M-QP5C-W9XJ

Summary

Affected Versions

Impact

Technical Details

Fix

Workarounds

Credits

Tags

Sightings

Nomenclature