Skip to main content

Absinthe GraphQL CVE-2026-42793

| EUVDEUVD-2026-28798 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-08 EEF GHSA-qf4g-9fqq-mmm7
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 08, 2026 - 17:02 EUVD
Analysis Generated
May 08, 2026 - 16:32 vuln.today
CVSS changed
May 08, 2026 - 16:22 NVD
8.2 (HIGH)
CVE Published
May 08, 2026 - 15:42 nvd
HIGH 8.2

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.

Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.

Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed - for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.

This issue affects absinthe: from 1.5.0 before 1.10.2.

AnalysisAI

Unauthenticated remote attackers can crash Erlang VM nodes running Absinthe GraphQL 1.5.0 through 1.10.1 by exhausting the BEAM atom table through specially crafted GraphQL SDL documents. Attackers send SDL containing numerous unique directive, field, type, or argument names that are unsafely converted to atoms via String.to_atom/1, permanently consuming slots in the fixed-size atom table (default 1,048,576 entries) until the VM terminates with system_limit error. This affects any application exposing SDL parsing to untrusted input, such as schema upload endpoints, federation gateways ingesting remote SDL, or developer tools processing user-supplied documents. Vendor-released patch (version 1.10.2) is available per GitHub advisory GHSA-qf4g-9fqq-mmm7.

Technical ContextAI

Absinthe is a GraphQL implementation for Elixir running on the BEAM virtual machine (Erlang VM). The vulnerability resides in Blueprint.Draft.convert/2 implementations across SDL language modules that parse GraphQL Schema Definition Language documents. The BEAM atom table stores immutable symbolic constants used throughout Erlang/Elixir code, with atoms never garbage-collected and a fixed capacity limit enforced at the VM level. When Absinthe calls String.to_atom/1 on attacker-supplied names from SDL documents, each unique string creates a permanent atom entry. This maps to CWE-770 (Allocation of Resources Without Limits or Throttling) because the parser lacks input validation or rate limiting on atom creation. GraphQL SDL allows arbitrary identifiers for schema elements, and the parsing code trusts these names implicitly rather than using safe alternatives like String.to_existing_atom/1 or maintaining a bounded namespace.

RemediationAI

Upgrade to Absinthe version 1.10.2 or later, which addresses the unsafe atom conversion in SDL parsing code per GitHub advisory GHSA-qf4g-9fqq-mmm7. For applications unable to upgrade immediately, implement strict input validation on SDL parsing endpoints: restrict access to authenticated administrative users only via application-level access controls, enforce request rate limiting (e.g., maximum 10 SDL parse requests per IP per hour), and implement document size limits (reject SDL documents exceeding 10KB). Consider disabling SDL upload features entirely if not required for production operations - many applications only need SDL parsing during development/deployment phases and can remove these endpoints from runtime environments. Monitor Erlang VM atom table usage via :erlang.system_info(:atom_count) and configure alerts when approaching 90% of :erlang.system_info(:atom_limit) as an early warning system. Note that workarounds provide incomplete protection since crafting sufficient unique names within size limits remains feasible; patching to 1.10.2 is the only complete remediation.

Share

CVE-2026-42793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy