CVE-2026-34593

Ash Framework versions prior to 3.22.0

Ash Framework is susceptible to a denial of service due to uncontrolled Erlang atom creation. The Ash.Type.Module.cast input/2 function unconditionally creates a new Erlang atom using Module.concat([value]) for any user-supplied binary string starting with 'Elixir.', without first verifying the module's existence. Since Erlang atoms are never garbage collected and the BEAM virtual machine has a limit on the number of atoms, an attacker can exhaust the atom table by submitting numerous unique 'Elixir.' strings through any resource attribute or argument of type :module, leading to a crash of the BEAM VM and a denial of service. The vulnerable code is located in lib/ash/type/module.ex, lines 105-113 and 141. An attacker can exploit this by submitting repeated Ash.create requests with unique 'Elixir.' strings via an API endpoint. The issue also occurs when reading :module-typed values from the database if an attacker can write arbitrary 'Elixir.*' strings to the relevant database column.

To resolve this, update to version 3.22.0 or later. As a temporary workaround, avoid using the :module type for user-supplied input or restrict access to resources with :module-typed attributes.