CVE-2026-8469: CVE-2026-8469: Denial of Service via BEAM Atom Table Exhaustion in phoenix_storybook

#security #cve #cybersecurity

CVE-2026-8469: Denial of Service via BEAM Atom Table Exhaustion in phoenix_storybook

Vulnerability ID: CVE-2026-8469
CVSS Score: 8.2
Published: 2026-06-09

An unauthenticated Denial-of-Service (DoS) vulnerability exists in phoenix_storybook versions 0.2.0 through 1.0.11 due to allocation of resources without limits (CWE-770). The application dynamically converts user-supplied parameter keys to atoms, leading to BEAM Atom Table exhaustion and immediate virtual machine crash.

TL;DR

Unauthenticated remote attackers can crash the entire Elixir application by exhausting the Erlang VM atom table via crafted websocket payloads targeting the storybook playground.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-770
Attack Vector: Network (AV:N)
CVSS Score: 8.2 (High)
Exploit Status: Proof-of-Concept
Affected Versions: >= 0.2.0, < 1.1.0
Remediation: Upgrade to version 1.1.0 or higher

Affected Systems

phoenix_storybook (Elixir Hex Package)
phoenix_storybook: >= 0.2.0, < 1.1.0 (Fixed in: 1.1.0)

Code Analysis

Commit: 96d5246

Fix atom table leak by replacing dynamic String.to_atom with safe lookup logic

Exploit Details

Research Context: Conceptual websocket event sequence description

Mitigation Strategies

Upgrade phoenix_storybook to version 1.1.0 or higher
Implement strict authentication and authorization plugs on storybook routes
Configure the Erlang VM with larger atom table limits (+t) as a temporary measure

Remediation Steps:

Open the mix.exs file in the project root
Update the phoenix_storybook entry to depend on '~> 1.1.0'
Run 'mix deps.get' to fetch and resolve dependencies
Recompile the application and execute automated tests to verify stability
Deploy the updated build to production environments

References

Read the full report for CVE-2026-8469 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community