Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-42793
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-08 May, 2026 | 15:42
Updated At-09 May, 2026 | 12:41
Rejected At-
▼CVE Numbering Authority (CNA)
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.

Affected Products
Vendor
absinthe-graphql
Product
absinthe
Collection URL
https://repo.hex.pm
Package Name
absinthe
Repo
https://github.com/absinthe-graphql/absinthe
CPEs
  • cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Absinthe.Language.DirectiveDefinition'
  • 'Elixir.Absinthe.Language.EnumTypeDefinition'
  • 'Elixir.Absinthe.Language.FieldDefinition'
  • 'Elixir.Absinthe.Language.InputObjectTypeDefinition'
  • 'Elixir.Absinthe.Language.InputValueDefinition'
  • 'Elixir.Absinthe.Language.InterfaceTypeDefinition'
  • 'Elixir.Absinthe.Language.ObjectTypeDefinition'
  • 'Elixir.Absinthe.Language.ScalarTypeDefinition'
  • 'Elixir.Absinthe.Language.UnionTypeDefinition'
Program Files
  • lib/absinthe/language/directive_definition.ex
  • lib/absinthe/language/enum_type_definition.ex
  • lib/absinthe/language/field_definition.ex
  • lib/absinthe/language/input_object_type_definition.ex
  • lib/absinthe/language/input_value_definition.ex
  • lib/absinthe/language/interface_type_definition.ex
  • lib/absinthe/language/object_type_definition.ex
  • lib/absinthe/language/scalar_type_definition.ex
  • lib/absinthe/language/union_type_definition.ex
Program Routines
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2
Default Status
unaffected
Versions
Affected
  • From 1.5.0 before 1.10.2 (semver)
Vendor
absinthe-graphql
Product
absinthe
Collection URL
https://github.com
Package Name
absinthe-graphql/absinthe
Repo
https://github.com/absinthe-graphql/absinthe
CPEs
  • cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Absinthe.Language.DirectiveDefinition'
  • 'Elixir.Absinthe.Language.EnumTypeDefinition'
  • 'Elixir.Absinthe.Language.FieldDefinition'
  • 'Elixir.Absinthe.Language.InputObjectTypeDefinition'
  • 'Elixir.Absinthe.Language.InputValueDefinition'
  • 'Elixir.Absinthe.Language.InterfaceTypeDefinition'
  • 'Elixir.Absinthe.Language.ObjectTypeDefinition'
  • 'Elixir.Absinthe.Language.ScalarTypeDefinition'
  • 'Elixir.Absinthe.Language.UnionTypeDefinition'
Program Files
  • lib/absinthe/language/directive_definition.ex
  • lib/absinthe/language/enum_type_definition.ex
  • lib/absinthe/language/field_definition.ex
  • lib/absinthe/language/input_object_type_definition.ex
  • lib/absinthe/language/input_value_definition.ex
  • lib/absinthe/language/interface_type_definition.ex
  • lib/absinthe/language/object_type_definition.ex
  • lib/absinthe/language/scalar_type_definition.ex
  • lib/absinthe/language/union_type_definition.ex
Program Routines
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2
  • 'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2
Default Status
unaffected
Versions
Affected
  • From d0eae7764520d4e8e5dfff619068c0de911aec33 before dd842b938e3823f345c10416914ffab5d5536838 (git)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Peter Ullrich
remediation developer
Curtis Schiewek
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-42793.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-42793
related
https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838
patch
Hyperlink: https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-42793.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-42793
Resource:
related
Hyperlink: https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found