CVE-2026-32689

Name of the Vulnerable Software and Affected Versions phoenix versions 1.7.0 through 1.7.21 phoenix version 1.8.6

Description An issue in the long-poll transport's NDJSON body handling allows a denial of service. In the publish/4 function of Elixir.Phoenix.Transports.LongPoll, POST requests with Content-Type: application/x-ndjson are processed by splitting the request body on newline characters using String.split/2 without a limit on the resulting segments. An attacker can send a body composed of newline bytes, creating a massive list of empty binaries that exhausts BEAM memory and schedulers, leading to a node crash and termination of all active sessions. The session token needed for the endpoint is obtainable via an unauthenticated GET request with a matching Origin header, making the attack effectively unauthenticated.

Recommendations Update versions 1.7.0 through 1.7.21 to version 1.7.22. Update version 1.8.6 to a newer version. Disable the longpoll transport on all Phoenix.Socket declarations, including the LiveView /live socket, by removing or setting longpoll: false.