CVE-2026-44545

Summary

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Affected Software

VendorProductVersion RangeStatus
djangoprojectdaphne4.2.0 <= 4.2.1affected
djangoprojectdaphne4.2.2unaffected

Weaknesses

  • CWE-770: CWE-770 (Allocation of Resources Without Limits or Throttling)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References