EXECUTIVE SUMMARY:
CVE-2026-32689 with a CVSS score of 8.7 is a denial-of-service vulnerability in Phoenix's long-poll transport that allows a remote client to allocate a large amount of memory with a HTTP request, causing the node to run out of memory. This vulnerability affects Phoenix projects with public Longpoll sockets or Phoenix.Sockets with the longpoll option enabled, specifically those running Phoenix versions 1.7.11 and later, and can be exploited by an unauthenticated attacker issuing a POST request with a large NDJSON body to the application/x-ndjson endpoint. An attacker with this capability can impact the availability of the system by consuming network bandwidth, processor cycles, or disk space, and potentially bring the entire system down due to resource exhaustion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-32689 with a CVSS score of 8.7 is a denial-of-service vulnerability in Phoenix's long-poll transport that allows a remote client to allocate a large amount of memory with a HTTP request, causing the node to run out of memory. This vulnerability affects Phoenix projects with public Longpoll sockets or Phoenix.Sockets with the longpoll option enabled, specifically those running Phoenix versions 1.7.11 and later, and can be exploited by an unauthenticated attacker issuing a POST request with a large NDJSON body to the application/x-ndjson endpoint. An attacker with this capability can impact the availability of the system by consuming network bandwidth, processor cycles, or disk space, and potentially bring the entire system down due to resource exhaustion.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-628h-q48j-jr6q