Denial of Service Vulnerability in Plug Parser for Multipart File Uploads
CVE-2026-56814

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56814?

The vulnerability in the multipart request-body parser used by Plug allows unauthenticated remote attackers to trigger denial of service by sending a crafted request with multiple empty body parts. This causes inode and disk exhaustion due to the creation of temporary files, without the size of part headers being counted against the configured length budget. Hence, applications utilizing Plug.Parsers with multipart parsing may experience unbounded memory growth and performance degradation.

Affected Version(s)

plug 1.4.0 < 1.16.6

plug 1.17.0 < 1.17.4

plug 1.18.0 < 1.18.5

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
Jonatan Männchen
José Valim
.