CVE-2026-48593

Name of the Vulnerable Software and Affected Versions oban web versions 2.12.0 through 2.12.4

Description Uncontrolled Resource Consumption in the Elixir.Oban.Web.CronExpr module allows memory exhaustion through unbounded cron range expansion. An attacker with permissions to schedule cron jobs can submit a malicious cron expression. When a user with dashboard access views the cron job list, the describe/1 function is called to render the expression. The parse range/1 function parses range endpoints using Integer.parse/1 without bounds checks, and the expand dom parts/1 and expand dow parts/1 helpers eagerly materialize the range via Enum.to list/1. This process can lead to the allocation of approximately 2.4 GB of memory, resulting in the stalling or crashing of the BEAM node (the Erlang Virtual Machine).

Recommendations Update oban web to version 2.12.5.