Inefficient Algorithmic Complexity in Plug Affects Elixir Plug Server
CVE-2026-54892

8.7HIGH

Key Information:

Vendor: Elixir-plug
Status: Plug
Vendor: CVE Published:; 23 June 2026

🔔 Create Elixir-plug Vulnerability Alert

What is CVE-2026-54892?

A vulnerability in the Plug framework's nested-parameter decoder allows unauthenticated remote attackers to trigger denial of service conditions. When parsing query strings and application/x-www-form-urlencoded request bodies, an attacker can exploit the algorithm's inefficiency by nesting keys deeply, leading to prolonged unresponsiveness of Plug-based servers. With a default body limit of 1,000,000 bytes, an attacker may create requests with excessive nesting levels that consume massive computational resources, ultimately saturating the BEAM scheduler. This vulnerability impacts several Plug versions and does not require knowledge of application routes or prior authentication.

Affected Version(s)

plug 1.15.0 < 1.15.5

plug 1.16.0 < 1.16.4

plug 1.17.0 < 1.17.2

References

https://github.com/elixir-plug/plug/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-54892.html

https://osv.dev/vulnerability/EEF-CVE-2026-54892

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Braidon Whatley

José Valim

Jonatan Männchen / EEF

CVE-2026-54892 Data

JSON