Description

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.

INFO

Published Date :

2026-05-08T15:42:46.101Z

Last Modified :

2026-05-08T16:09:11.643Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42793 vulnerability.

Vendors Products
Absinthe-graphql
  • Absinthe
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42793.

URL Resource
https://cna.erlef.org/cves/CVE-2026-42793.html cve-icon cve-icon
https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7 cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-42793 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability