PYSEC-2026-2282

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/strawberry-graphql/PYSEC-2026-2282.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2282
Aliases
Published
2026-06-04T15:16:54.457Z
Modified
2026-07-13T07:15:44.042291538Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer <token>, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.

References

Affected packages

PyPI / strawberry-graphql

Package

Name
strawberry-graphql
View open source insights on deps.dev
Purl
pkg:pypi/strawberry-graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.288.4
Fixed
0.315.4

Affected versions

0.*
0.288.4
0.289.0
0.289.1
0.289.2
0.289.3
0.289.4
0.289.5
0.289.6
0.289.7
0.289.8
0.290.0
0.291.0
0.291.1
0.291.2.dev1770456508
0.291.2.dev1771437961
0.291.2
0.291.3
0.292.0
0.293.0
0.294.0
0.295.0
0.296.0
0.296.1
0.296.2
0.297.0
0.298.0
0.298.1
0.299.0
0.300.0
0.301.0
0.302.0
0.303.0
0.303.1
0.304.0
0.305.0
0.306.0
0.307.0
0.307.1
0.308.0
0.308.1
0.308.2
0.308.3
0.309.0
0.310.0
0.310.1
0.310.2
0.311.0
0.311.1
0.311.2
0.311.3
0.312.0
0.312.1
0.312.2
0.312.3
0.312.4
0.313.0
0.314.0
0.314.1
0.314.2
0.314.3
0.315.0
0.315.1
0.315.2
0.315.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/strawberry-graphql/PYSEC-2026-2282.yaml"