Memory Exhaustion Vulnerability in Next AI Draw.io Web Application
CVE-2026-40608

6.2MEDIUM

Key Information:

Vendor: Dayuanjiang
Status: Next-ai-draw-io
Vendor: CVE Published:; 21 April 2026

🔔 Create Dayuanjiang Vulnerability Alert

What is CVE-2026-40608?

The Next AI Draw.io web application, prior to version 0.4.15, is susceptible to a memory exhaustion vulnerability due to unbounded accumulation of request payloads in JavaScript string format. This occurs in the HTTP sidecar where three POST handlers process incoming requests without limiting the request body size. When excessively large payloads are sent, such as those around 500 MiB or more, the application experiences an Out-of-Memory (OOM) error, ultimately crashing the server. This critical scenario can disrupt service availability, requiring prompt action to update to version 0.4.15 where the issue is resolved.

Affected Version(s)

next-ai-draw-io < 0.4.15

References

https://github.com/DayuanJiang/next-ai-draw-io/security/a...

x_refsource_CONFIRM

https://github.com/DayuanJiang/next-ai-draw-io/commit/318...

x_refsource_MISC

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40608 Data

JSON