Denial of Service Vulnerability in Bandit WebSocket by mtrudel
CVE-2026-39804

8.2HIGH

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-39804?

A vulnerability in Bandit, developed by mtrudel, allows attackers to exploit unauthenticated WebSocket connections to trigger memory exhaustion. When compression via permessage-deflate is enabled, an unauthenticated user can send specially crafted frames that exploit the lack of output-size restrictions during decompression. This can result in significant memory allocation, exceeding the available heap and potentially causing an out-of-memory (OOM) condition in the BEAM virtual machine. To be vulnerable, specific server options must be enabled, including websocket_options.compress. Affected versions range from 0.5.9 to earlier than 1.11.0.

Affected Version(s)

bandit 0.5.9 < 1.11.0

bandit da4027cff7d2b80319e76fe7a32f84beceec490a < 1.11.0

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-39804.html

https://osv.dev/vulnerability/EEF-CVE-2026-39804

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Peter Ullrich

CVE-2026-39804 Data

JSON

Mtrudel

What is CVE-2026-39804?

Affected Version(s)

References

CVSS V4

Timeline

Credit