CVE-2026-48809: python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

June 26, 2026

There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

POST requests, when using ASGI with the long polling transport
WebSocket messages, when using Aiohttp with the WebSocket transport

References

github.com/advisories/GHSA-m9gh-vj53-gvh9
github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-m9gh-vj53-gvh9
nvd.nist.gov/vuln/detail/CVE-2026-48809

Code Behaviors & Features

Detect and mitigate CVE-2026-48809 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →