Vulnerability Details CVE-2026-45739
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.9%
CVSS Severity
CVSS v3 Score 3.1
References
- https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9
- https://github.com/strawberry-graphql/strawberry/issues/4398
- https://github.com/strawberry-graphql/strawberry/pull/2842
- https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4
- https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj
Products affected by CVE-2026-45739
-
cpe:2.3:a:strawberry:strawberry_graphql:0.288.4
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.4
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.5
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.6
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.7
-
cpe:2.3:a:strawberry:strawberry_graphql:0.289.8
-
cpe:2.3:a:strawberry:strawberry_graphql:0.290.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.291.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.291.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.291.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.291.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.292.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.293.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.294.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.295.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.296.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.296.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.296.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.297.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.298.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.298.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.299.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.300.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.301.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.302.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.303.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.303.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.304.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.305.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.306.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.307.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.307.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.308.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.308.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.308.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.308.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.309.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.310.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.310.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.310.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.311.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.311.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.311.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.311.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.312.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.312.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.312.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.312.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.312.4
-
cpe:2.3:a:strawberry:strawberry_graphql:0.313.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.314.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.314.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.314.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.314.3
-
cpe:2.3:a:strawberry:strawberry_graphql:0.315.0
-
cpe:2.3:a:strawberry:strawberry_graphql:0.315.1
-
cpe:2.3:a:strawberry:strawberry_graphql:0.315.2
-
cpe:2.3:a:strawberry:strawberry_graphql:0.315.3