CVE-2026-42793
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Absinthe via Atom Table Exhaustion

Publication date: 2026-05-08

Last updated on: 2026-05-22

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed β€” for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-22
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42793
EUVD
EUVD-2026-28798
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
absinthe-graphql absinthe From 1.5.0 (exc) to 1.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the absinthe-graphql library where multiple implementations call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents. Because atoms in the Erlang VM are never garbage-collected and the atom table has a fixed size, each unique name permanently consumes one slot in the atom table.

An attacker can exploit this by submitting GraphQL SDL documents containing many unique names, exhausting the atom table. This causes the Erlang VM to abort with a system_limit error, resulting in a denial of service that takes down the entire node.

Any application that processes attacker-controlled GraphQL SDL through Absinthe's parser, such as schema-upload endpoints, federation gateways, or developer tools, is vulnerable.

Impact Analysis

This vulnerability can lead to an unauthenticated denial of service (DoS) attack against applications using the absinthe-graphql library. By exhausting the Erlang VM's atom table, an attacker can cause the entire node to crash, resulting in service downtime and loss of availability.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive atom table usage in the Erlang VM, which may indicate atom table exhaustion attempts.

Since the vulnerability involves attacker-controlled GraphQL SDL documents causing unbounded atom creation, detection can involve inspecting incoming SDL documents for a large number of unique names or directives.

Commands to check the current atom table usage on an Erlang node include:

  • Using the Erlang shell command: `erlang:system_info(atom_count).` to get the current number of atoms in use.
  • Using `erlang:system_info(atom_limit).` to check the maximum allowed atoms.

Monitoring logs for system_limit errors or Erlang VM crashes can also help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the absinthe-graphql library to version 1.10.2 or later, where the vulnerability has been fixed.

Until the upgrade is applied, restrict or validate any user-supplied GraphQL SDL documents to limit the number of unique names or directives processed by Absinthe.

Implement input validation or allow-listing on SDL inputs to prevent unbounded atom creation.

Monitor the Erlang VM for atom table usage and system_limit errors to detect and respond to potential attacks.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart