Denial of Service Vulnerability in Cowboy by ninenines
CVE-2026-8466

8.2HIGH

Key Information:

Vendor: Ninenines
Status: Cowboy
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-8466?

A vulnerability in Cowboy allows for unbounded resource allocation during multipart header parsing. The 'read_part' function accumulates incoming request bytes without implementing a limit on buffer size, enabling an unauthenticated attacker to exploit this flaw. By sending specially crafted multipart/form-data requests that do not maintain proper header structure, the attacker can cause the server to continuously consume memory. This can result in denial of service when multiple concurrent requests are processed, potentially exhausting the server's resources and affecting availability. Affected versions range from 2.0.0 up to, but not including, 2.15.0, making immediate patching essential.

Affected Version(s)

cowboy 2.0.0 < 2.15.0

cowboy 917cf99e10c41676183d501b86af6e47c95afb89 < 5c6a2061b41bb5771c4659fac7d5a822dca5bafb

References

https://cna.erlef.org/cves/CVE-2026-8466.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-8466

https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5...

patch

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 13, 2026

Credit

Peter Ullrich

Loïc Hoguin

CVE-2026-8466 Data

JSON

Ninenines

What is CVE-2026-8466?

Affected Version(s)

References

CVSS V4

Timeline

Credit