CVE-2026-48802: python-engineio has unbound thread allocation that can cause denial of service

June 26, 2026

An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.

Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented was also applied to the asynchronous case.

References

github.com/advisories/GHSA-cgwc-pv48-fhj5
github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-cgwc-pv48-fhj5
nvd.nist.gov/vuln/detail/CVE-2026-48802

Code Behaviors & Features

Detect and mitigate CVE-2026-48802 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →