cvedb.io
CVE-2026-42793
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-05-08T16:16:12.550 · Last modified 2026-06-17T10:48:25.143

Summary

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any applica

Affected products

absinthe-graphql — absinthe

Does this affect you?

Add your gear to cvedb and we'll alert you only when absinthe-graphql ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.