CVE-2026-56814
Received Received - Intake

Denial of Service in Plug Multipart Parser

Vulnerability report for CVE-2026-56814, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: EEF

Description

Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP. This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4. This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
elixir plug From 1.4.0 (inc) to 1.16.6 (exc)
elixir plug From 1.17.0 (inc) to 1.17.4 (exc)
elixir plug From 1.18.0 (inc) to 1.18.5 (exc)
elixir plug From 1.19.0 (inc) to 1.19.5 (exc)
elixir plug From 1.20.0 (inc) to 1.20.3 (exc)
elixir plug to 1.16.6 (exc)
elixir plug to 1.17.4 (exc)
elixir plug to 1.18.5 (exc)
elixir plug to 1.19.5 (exc)
elixir plug to 1.20.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56814 is a vulnerability in the Plug.Parsers.MULTIPART module, which is responsible for parsing multipart request bodies used in file uploads and multipart forms. The issue arises because the parser does not enforce the configured :length limit on all parts of the multipart request. Specifically, it only counts the size of the part body bytes but ignores the size of part headers. Additionally, parts with empty bodies cost zero against the limit.

An attacker can exploit this by sending a single multipart request containing many empty-body file parts, each with a non-empty filename. Each such part causes the creation of a temporary file and retention of a Plug.Upload struct, which consumes system resources like inodes, disk space, and memory. Since these parts do not count against the length limit, the attacker can exhaust system resources without exceeding the configured size limit.

This vulnerability affects all applications using Plug.Parsers with the :multipart parser and requires only that the attacker can reach a multipart endpoint over HTTP, with no authentication needed.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by allowing an attacker to exhaust critical system resources. Specifically, by sending many empty-body file parts in a multipart request, an attacker can cause:

  • Exhaustion of inodes due to creation of many temporary files.
  • Disk space exhaustion from the accumulation of temporary files.
  • Unbounded memory growth by retaining Plug.Upload structs for each part.

The overall impact is degradation or crashing of the affected Plug application, resulting in service unavailability for legitimate users.

Detection Guidance

This vulnerability involves the multipart parser in Plug not enforcing length limits on multipart headers and empty-body file parts, which can lead to denial of service by exhausting system resources. Detection involves monitoring for unusually high numbers of multipart requests with many empty-body file parts that create temporary files without consuming expected byte limits.

Since the vulnerability exploits multipart HTTP requests, detection can be done by inspecting HTTP traffic to multipart endpoints for requests containing many parts with non-empty filenames but empty bodies.

Specific commands are not provided in the resources, but general approaches include:

  • Using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture HTTP multipart requests and analyze the number and size of parts.
  • Using application logs to detect spikes in temporary file creation or inode/disk usage.
  • Monitoring system resource usage (inodes, disk space, memory) for unusual exhaustion patterns coinciding with multipart requests.

No explicit commands or scripts are provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade the Plug library to a fixed version where the multipart parser properly enforces the length limit on all parts of the multipart request, including headers and skipped bodies.

  • Upgrade Plug to version 1.16.6 or later, 1.17.4 or later, 1.18.5 or later, 1.19.5 or later, or 1.20.3 or later, depending on your current version.

Until the patch is applied, external mitigations can help reduce risk.

  • Implement reverse-proxy request-size caps to limit the size and number of multipart parts accepted.
  • Restrict access to multipart endpoints to trusted clients or networks where possible.

These steps help prevent denial-of-service attacks by limiting the ability of attackers to send large numbers of empty-body file parts that exhaust system resources.

Compliance Impact

The vulnerability allows an unauthenticated remote attacker to cause a denial of service by exhausting system resources such as inodes, disk space, and memory through the multipart parser's failure to enforce length limits properly.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, denial-of-service conditions can impact system availability, which is a critical aspect of many regulatory frameworks.

Availability is a key component in regulations such as HIPAA and GDPR, which require systems to ensure availability and resilience of data processing services. A denial-of-service attack exploiting this vulnerability could lead to service outages, potentially affecting compliance with these regulations.

However, there is no direct information in the provided text linking this vulnerability to specific compliance violations or data breaches under these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56814. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart