CVE-2026-42544 HIGH

CVE-2026-42544: Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Vendor Emmett-Framework
Product granian
Weakness CWE-20 · Input validation
Published May 12, 2026
Last update May 18, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 18, 2026 Record updated