CVE-2026-42544

HIGH LAB

Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42544. PoCs published by dwisiswant0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-42544, a denial-of-service vulnerability in Granian ASGI/WSGI server. The exploit sends a crafted WebSocket upgrade request with non-ASCII bytes in the Sec-WebSocket-Protocol header, causing the server to panic and abort.

Description

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

Exploits (1)

github WORKING POC 1 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/neo-pocs/tree/master/2026/CVE-2026-42544

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-42544, a denial-of-service vulnerability in Granian ASGI/WSGI server. The exploit sends a crafted WebSocket upgrade request with non-ASCII bytes in the Sec-WebSocket-Protocol header, causing the server to panic and abort.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Granian (>= 1.2.0, < 2.7.4)

No auth needed

Prerequisites: Network access to the target Granian server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 14, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 24.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

https://github.com/dwisiswant0/neo-pocs

View in Library

Details

CWE

CWE-20 CWE-248 CWE-400

Status published

Products (2)

emmett-framework/granian >= 1.2.0, < 2.7.4

pypi/granian 1.2.0 - 2.7.4PyPI

Published May 12, 2026

Tracked Since May 13, 2026