Skip to main content

Oban Web

2 CVEs product

Monthly

CVE-2026-48592 MEDIUM POC PATCH GHSA This Month

Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.

Authentication Bypass Oban Web
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-48593 MEDIUM POC PATCH GHSA This Month

Memory exhaustion in Oban Web's cron expression rendering engine allows a low-privileged attacker who can schedule jobs to crash the BEAM VM node. By submitting a cron expression with an astronomically large range such as '0 0 1-100000000 * *', the attacker causes Elixir.Oban.Web.CronExpr.describe/1 to eagerly materialize the range into a list via Enum.to_list/1, allocating approximately 2.4 GB of memory and stalling or crashing the node when a dashboard user views the cron job list. No public exploit identified at time of analysis, but the attack requires no specialized tooling - the malicious expression is trivial to craft given knowledge of the unguarded parse path.

Denial Of Service Oban Web
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthorized job worker substitution in oban_web 2.12.0-2.12.4 allows any authenticated low-privileged user to redirect background job execution to arbitrary existing worker modules. The server-side LiveView event handler for 'save-job' in Elixir.Oban.Web.Jobs.DetailComponent omits the can?/2 authorization check that all sibling handlers (cancel, delete, retry) correctly enforce, enabling a user granted only :read_only access to forge a WebSocket event and overwrite a queued job's worker field. No public exploit code exists and SSVC designates exploitation as none, but successful abuse causes Oban to invoke an attacker-chosen worker module on next execution, introducing real integrity risk to automated job pipelines.

Authentication Bypass Oban Web
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Memory exhaustion in Oban Web's cron expression rendering engine allows a low-privileged attacker who can schedule jobs to crash the BEAM VM node. By submitting a cron expression with an astronomically large range such as '0 0 1-100000000 * *', the attacker causes Elixir.Oban.Web.CronExpr.describe/1 to eagerly materialize the range into a list via Enum.to_list/1, allocating approximately 2.4 GB of memory and stalling or crashing the node when a dashboard user views the cron job list. No public exploit identified at time of analysis, but the attack requires no specialized tooling - the malicious expression is trivial to craft given knowledge of the unguarded parse path.

Denial Of Service Oban Web
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy