Denial of Service Vulnerability in Phoenix Framework Presence JavaScript Client
CVE-2026-56812

6.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-56812?

A vulnerability exists in the Phoenix Framework's Presence JavaScript client, where an improper truthiness check allows attackers with basic channel access to exploit presence keys. By choosing keys that overlap with Object.prototype members, attackers can trigger an uncaught TypeError, leading to a persistent denial of service for all viewers on the same channel topic. As this issue affects only specific presence topics and does not result in Object.prototype mutation, the impact is confined yet disruptive. Developers are advised to upgrade to the patched versions to mitigate this vulnerability.

Affected Version(s)

phoenix 1.2.0-rc.0 < 1.5.15

phoenix 1.6.0-rc.0 < 1.6.17

phoenix 1.7.0-rc.0 < 1.7.24

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
Jonatan Männchen
José Valim
Steffen Deusch
.