Uncontrolled Resource Consumption in oban_web Product by oban-bg
CVE-2026-48593

5.9MEDIUM

Key Information:

Vendor: Oban-bg
Status: Oban Web
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-48593?

A vulnerability in the oban_web component allows attackers to exploit unbounded cron range expansions, leading to significant memory exhaustion. By submitting malicious cron expressions, such as '0 0 1-100000000 * *', an attacker can induce the rendering process to allocate large amounts of memory, potentially crashing the BEAM node. The issue arises from the lack of bounds checks within the parsing and expansion logic of cron expressions, despite existing validations elsewhere. Users are advised to check for updates and apply patches to mitigate this risk.

Affected Version(s)

oban_web 2.12.0 < 2.12.5

oban_web a97c7960bb389b05aaab4cf8042985f02ceddc24 < 9998b7e284e02fdd4645dd6231760038e63b584d

References

https://github.com/oban-bg/oban_web/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48593.html

https://osv.dev/vulnerability/EEF-CVE-2026-48593

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Shannon Selbert

Jonatan Männchen

CVE-2026-48593 Data

JSON