CVE-2026-8469
Deferred Deferred - Pending Action
Atom Table Exhaustion in Phoenix Storybook

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8469
EUVD
EUVD-2026-31114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phenixdigital phoenix_storybook From 0.2.0 (inc) to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8469 is a vulnerability in the phoenix_storybook package where multiple LiveView event handlers convert user-supplied strings into BEAM atoms without validation using String.to_atom/1.

Because BEAM atoms are never garbage-collected, each unique attacker-controlled string permanently occupies a slot in the atom table.

An attacker can exploit this by sending many unique strings, exhausting the atom table limit (~1,048,576 atoms), which causes the entire BEAM node to crash and take down all running applications.

This issue affects phoenix_storybook versions from 0.2.0 up to but not including 1.1.0.

Compliance Impact

This vulnerability primarily causes an unauthenticated denial-of-service (DoS) by exhausting the BEAM atom table, leading to a crash of the entire BEAM node and disruption of availability.

There is no information in the provided context or resources indicating that this vulnerability leads to unauthorized access, data leakage, or compromise of personal or sensitive data.

Therefore, based on the available information, this vulnerability impacts system availability but does not directly affect compliance with data protection standards or regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal data.

Impact Analysis

This vulnerability can lead to an unauthenticated denial-of-service (DoS) attack against applications using the affected phoenix_storybook versions.

By exhausting the BEAM atom table through attacker-controlled input, the entire BEAM node crashes, causing all applications running on it to become unavailable.

The impact is primarily on availability, potentially causing downtime and disruption of services.

Detection Guidance

This vulnerability can be detected by monitoring the BEAM atom table usage on your system. Since the issue involves exhaustion of the atom table due to unbounded creation of atoms from user input, unusually high or rapidly increasing atom counts may indicate an attack or exploitation attempt.

You can check the current number of atoms used by the BEAM VM with the following Erlang command:

  • erl -eval 'erlang:system_info(atom_count), halt().' -noshell

Additionally, monitoring network traffic to the phoenix_storybook route for unusual or excessive LiveView event parameters that may be attempting to create new atoms can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade phoenix_storybook to version 1.1.0 or later, where the vulnerability has been fixed.

The fix involves replacing unsafe conversions of user-supplied strings to atoms (using String.to_atom/1) with safer alternatives like String.to_existing_atom/1, and validating that only predefined atoms are used.

If immediate upgrade is not possible, consider restricting or disabling access to the phoenix_storybook route, especially in production or publicly accessible environments, to prevent unauthenticated attackers from sending malicious LiveView events.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8469. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart