CVE-2026-8468

EUVD-2026-30266

14.05.2026, 11:16

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://cna.erlef.org/cves/CVE-2026-8466.html

https://cna.erlef.org/cves/CVE-2026-8468.html

https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a

https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7

https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734

https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45

https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94

https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64

https://osv.dev/vulnerability/EEF-CVE-2026-8468