CVE-2026-32688

Name of the Vulnerable Software and Affected Versions plug cowboy versions 2.0.0 through 2.8.0

Description An unauthenticated remote attacker can cause a denial of service via atom table exhaustion. In HTTP/2 connections, the Plug.Cowboy.Conn.conn/1 function in lib/plug/cowboy/conn.ex calls String.to atom/1 on the value returned by :cowboy req.scheme/1. Because cowlib passes the client-supplied :scheme pseudo-header value without validation, each unique value creates a permanent entry in the BEAM atom table. Since atoms are not garbage-collected and the table has a fixed limit, sending requests with unique :scheme values can exhaust the table, causing the Erlang VM to abort with a system limit and crashing the node. This issue does not affect HTTP/1.1.

Recommendations Update to version 2.8.1. As a temporary workaround, disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol options: %{protocols: [:http]} in the cowboy options to restrict the listener to HTTP/1.1.