PT-2026-56201 · Phoenix · Phoenix

Jonatan Männchen

+3

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-56811

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions phoenix versions 0.11.0 through 1.5.14 phoenix versions 1.6.0-rc.0 through 1.6.16 phoenix versions 1.7.0-rc.0 through 1.7.23 phoenix versions 1.8.0-rc.0 through 1.8.8
Description An unauthenticated attacker can cause a denial of service against any endpoint mounting a Phoenix socket with a reachable channel transport, such as WebSocket or LongPoll. The issue resides in the Elixir.Phoenix.Socket:handle in/4 routine within the lib/phoenix/socket.ex file. Because Phoenix transports do not limit the number of channels a single transport process can join, a client can send an unbounded number of phx join messages over one connection. This spawns excessive channel processes, potentially exhausting the BEAM maximum process limit and preventing the virtual machine from starting new processes for legitimate traffic. This amplification occurs within a single connection, rendering network-layer connection caps and rate limiting ineffective.
Recommendations Update phoenix to version 1.5.15 or later. Update phoenix to version 1.6.17 or later. Update phoenix to version 1.7.24 or later. Update phoenix to version 1.8.9 or later. Configure the :max channels per transport option to bound the number of channels a single transport process can join.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56811

Affected Products

Phoenix