Denial of Service Vulnerability in Plug Project by Elixir
CVE-2026-8468

8.2HIGH

Key Information:

Vendor: Elixir-plug
Status: Plug
Vendor: CVE Published:; 14 May 2026

🔔 Create Elixir-plug Vulnerability Alert

What is CVE-2026-8468?

The Plug Project for Elixir is vulnerable to a Denial of Service attack due to improper resource allocation in its multipart header parsing. An unauthenticated attacker can exploit the flaw by sending a multipart/form-data request that lacks a complete header section, leading to unchecked memory accumulation as the server processes incoming request bytes. This vulnerability allows the attacker to exhaust server memory by making concurrent uploads, resulting in a complete service outage for users.

Affected Version(s)

plug 1.4.0 < 1.15.4

plug 1.16.0 < 1.16.3

plug 1.17.0 < 1.17.1

References

https://github.com/elixir-plug/plug/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-8468.html

https://osv.dev/vulnerability/EEF-CVE-2026-8468

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 13, 2026

Credit

José Valim

Jonatan Männchen

CVE-2026-8468 Data

JSON