Denial of Service Vulnerability in mtrudel Bandit Affects Elixir Framework
CVE-2026-39803

8.7HIGH

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-39803?

A vulnerability in mtrudel Bandit allows unauthenticated remote attackers to exploit memory exhaustion via specially crafted HTTP/1 chunked requests. Due to a flaw in the read_data function of Elixir's Bandit, the system fails to impose limits on the maximum size of the request body, leading to severe resource depletion. An attacker can send a single request with an arbitrarily large payload, causing the application to exhaust available memory and triggering the operating system's out-of-memory (OOM) killer. This issue affects Bandit versions from 1.4.0 to just before 1.11.1, making it critical for applications using these versions to apply available patches or mitigate potential risks.

Affected Version(s)

bandit 1.4.0 < 1.11.1

bandit 903e209a521bc216b9f9065c01ae9a0cac2d5a10

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-39803.html

https://osv.dev/vulnerability/EEF-CVE-2026-39803

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-39803 Data

JSON

Mtrudel

What is CVE-2026-39803?

Affected Version(s)

References

CVSS V4

Timeline

Credit