CVE-2026-48593
Memory Exhaustion in Oban Web Cron Expression Parsing
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oban | oban_web | to 2.12.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Uncontrolled Resource Consumption issue in the oban_web component of the oban-bg system, specifically in the 'Elixir.Oban.Web.CronExpr' modules.
An attacker who can schedule cron jobs can submit a malicious cron expression with an extremely large range, such as "0 0 1-100000000 * *".
When a user with dashboard access views the cron job list, the system tries to render this expression by expanding the range without proper bounds checking, causing it to allocate a very large amount of memory (~2.4 GB).
This excessive memory allocation can stall or crash the BEAM node (the Erlang virtual machine running the application).
How can this vulnerability impact me? :
The vulnerability can lead to memory exhaustion on the server running the oban_web dashboard.
This can cause the BEAM node to stall or crash, resulting in denial of service for users relying on the application.
An attacker with the ability to schedule cron jobs can exploit this to disrupt normal operations and potentially cause downtime.