CVE-2026-44545

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-44545
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44545.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-44545
Aliases
Downstream
Published
2026-06-03T13:17:42.907Z
Modified
2026-06-18T03:56:04.290057954Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
Details

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Database specific 
{
    "cna_assigner": "DSF",
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44545.json"
}
References

Affected packages

Git / github.com/django/daphne

Affected ranges

Type
GIT
Repo
https://github.com/django/daphne
Events
Introduced
ce3e7f6156a29a3604ca0130ddaed488fbd2eeda
Fixed
c19f2f4301cc0c26fbf7ed2080eace9e76aec3b6
Database specific 
{
    "cpe": "cpe:2.3:a:djangoproject:daphne:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "4.2.0"
        },
        {
            "last_affected": "4.2.1"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "4.2.2"
        }
    ]
}

Affected versions

4.*
4.2.0
4.2.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44545.json"