Denial of Service Vulnerability in Phoenix Framework by Phoenix Framework
CVE-2026-32689

8.7HIGH

Key Information:

Vendor: Phoenixframework
Status: Phoenix
Vendor: CVE Published:; 5 May 2026

🔔 Create Phoenixframework Vulnerability Alert

What is CVE-2026-32689?

The Phoenix Framework is vulnerable to a denial of service attack due to improper handling of NDJSON body content in long-poll transport. When a POST request with the content type application/x-ndjson is received, the request body is split into segments without limits. An attacker can exploit this by sending a payload consisting solely of newline characters, causing excessive memory consumption and ultimately crashing the server node. This vulnerability can be triggered by unauthenticated clients, allowing significant resource exhaustion and termination of active sessions.

Affected Version(s)

phoenix 1.7.0 < 1.7.22

phoenix 1.8.0 < 1.8.6

phoenix 2674c6ea30634667f9b09966b90269393b445953

References

https://github.com/phoenixframework/phoenix/security/advi...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32689.html

https://osv.dev/vulnerability/EEF-CVE-2026-32689

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Peter Ullrich

CVE-2026-32689 Data

JSON