CVE-2026-8468
HIGHUnbounded buffer accumulation in multipart header parsing causes denial of service in plug
Title source: cnaDescription
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
related
https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64
Related related
https://cna.erlef.org/cves/CVE-2026-8468.html
Related related
https://osv.dev/vulnerability/EEF-CVE-2026-8468
Related related
https://cna.erlef.org/cves/CVE-2026-8466.html
Scores
CVSS v4
8.2
EPSS
0.0027
EPSS Percentile
50.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (11)
elixir-plug/plug
1.16.0 - 1.16.3
elixir-plug/plug
1.17.0 - 1.17.1
elixir-plug/plug
1.18.0 - 1.18.2
elixir-plug/plug
1.19.0 - 1.19.2
elixir-plug/plug
1.4.0 - 1.15.4
elixir-plug/plug
c52b2f32c90bccd718202bafccb5f95594e30183
Hex/plug
1.16.0 - 1.16.3Hex
Hex/plug
1.17.0 - 1.17.1Hex
Hex/plug
1.18.0 - 1.18.2Hex
Hex/plug
1.19.0 - 1.19.2Hex
... and 1 more
Published
May 14, 2026
Tracked Since
May 14, 2026