Resource Exhaustion Vulnerability in elixir-plug's plug_cowboy Affects Unauthenticated Remote Access
CVE-2026-32688

8.7HIGH

Key Information:

Vendor: Elixir-plug
Status: Plug Cowboy
Vendor: CVE Published:; 27 April 2026

🔔 Create Elixir-plug Vulnerability Alert

What is CVE-2026-32688?

A resource exhaustion vulnerability in elixir-plug's plug_cowboy permits unauthenticated remote attackers to trigger a denial of service. This is achieved through atom table exhaustion as the plug_cowboy framework allows client-supplied :scheme pseudo-header values via HTTP/2 connections. Since unique atom entries are permanently allocated without limits, an attacker can overwhelm the fixed atom table size, ultimately causing the Erlang virtual machine to abort. This effectively brings down the entire node, disrupting services reliant on affected versions of plug_cowboy prior to 2.8.1.

Affected Version(s)

plug_cowboy 2.0.0 < 2.8.1

plug_cowboy 12ecfd024bb179d48b018fecf074e43fe6a19c83

References

https://github.com/elixir-plug/plug_cowboy/security/advis...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32688.html

https://osv.dev/vulnerability/EEF-CVE-2026-32688

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Peter Ulrich

CVE-2026-32688 Data

JSON