DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42793: CVE-2026-42793: Unauthenticated Remote Denial of Service in Absinthe GraphQL via Atom Exhaustion

#security #cve #cybersecurity

CVE-2026-42793: Unauthenticated Remote Denial of Service in Absinthe GraphQL via Atom Exhaustion

Vulnerability ID: CVE-2026-42793
CVSS Score: 8.2
Published: 2026-05-14

CVE-2026-42793 is a critical resource exhaustion vulnerability in the Absinthe GraphQL library for Elixir. Unauthenticated attackers can exploit unsafe atom creation during Schema Definition Language (SDL) parsing to trigger a system-wide crash of the Erlang Virtual Machine (BEAM).

TL;DR

Absinthe versions prior to 1.10.2 are vulnerable to unauthenticated remote DoS. Attackers can submit large GraphQL SDL payloads containing unique identifiers, exhausting the BEAM atom table and crashing the host application.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Score: 8.2
  • EPSS Score: 0.00064
  • Impact: Complete Denial of Service (VM Crash)
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Applications utilizing absinthe-graphql/absinthe for Elixir
  • Erlang Virtual Machine (BEAM) running vulnerable Absinthe nodes
  • absinthe: >= 1.5.0, < 1.10.2 (Fixed in: 1.10.2)

Code Analysis

Commit: dd842b9

Introduces Absinthe.Phase.Document.Validation.ExecutableDefinitions to enforce section 5.1.1 of the GraphQL specification and reject TypeSystemDefinition documents.

Mitigation Strategies

  • Upgrade Absinthe to version 1.10.2 or later.
  • Enforce strict payload size limits via Web Application Firewalls (WAF) to prevent bulk identifier injection.
  • Implement custom pre-parsing validation for applications that manually invoke Absinthe Blueprint conversion logic.

Remediation Steps:

  1. Update the mix.exs dependency specification for absinthe to version 1.10.2.
  2. Execute mix deps.get to fetch the updated package.
  3. Review the application codebase for manual calls to Absinthe.Blueprint.Draft.convert/2 outside the standard plug pipeline.
  4. Deploy the updated application to target environments and monitor BEAM atom table usage.

References

Read the full report for CVE-2026-42793 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)