CVE-2026-45739

Published: Jun 4, 2026Modified: Jun 5, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.

Affected (1)

Products: Strawberry: Strawberry Graphql

1 product

Strawberry Graphql

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Strawberry Strawberry Graphql	From 0.288.4 to 0.315.4

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References (5)

https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9

Source: security-advisories@github.com

Patch

https://github.com/strawberry-graphql/strawberry/issues/4398

Source: security-advisories@github.com

Issue Tracking

https://github.com/strawberry-graphql/strawberry/pull/2842

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj

Source: security-advisories@github.com

MitigationVendor Advisory

Timeline

No history available yet.