Remote Denial of Service Vulnerability in Bandit by Mtrudel
CVE-2026-42786

8.7HIGH

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42786?

A resource allocation vulnerability in Bandit allows unauthenticated remote attackers to cause denial of service through memory exhaustion. The issue arises from the handling of continuation frames in the WebSocket connection, leading to unlimited growth of the per-connection data structure. This flaw permits an adversary to stream a potentially endless sequence of frames, consuming memory unmonitored until the process is terminated by the operating system. Affected applications using Phoenix Channels and LiveView may be particularly vulnerable as they are exposed upon accepting socket connections.

Affected Version(s)

bandit 0.5.0 < 1.11.0

bandit 8909391f486d42138c5308410bc5ea49a65f4d46 < 1.11.0

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42786.html

https://osv.dev/vulnerability/EEF-CVE-2026-42786

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-42786 Data

JSON