CVE-2026-44545

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Jun 03, 2026

Vendor unknown

Description

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt