CVE-2026-42545 MEDIUM

CVE-2026-42545: Granian: DoS via WSGI response header panic

Vendor Emmett-Framework
Product granian
Weakness CWE-248
Published May 12, 2026
Last update May 14, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE