PatchSiren cyber security CVE debrief
CVE-2026-42793 Cna CVE debrief
CVE-2026-42793 is an unauthenticated denial-of-service issue in absinthe-graphql Absinthe. When attacker-controlled GraphQL SDL is parsed, multiple Blueprint.Draft.convert/2 paths call String.to_atom/1 on untrusted names such as directive, field, type, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit, repeated unique names can permanently consume atom slots until the node aborts with system_limit. The issue affects absinthe from 1.5.0 before 1.10.2.
- Vendor
- Cna
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-09
Who should care
Teams running Absinthe in any workflow that parses SDL from untrusted sources should treat this as high priority: schema-upload endpoints, federation gateways that ingest remote SDL, developer tools, and any API that lets users submit GraphQL SDL for validation or conversion.
Technical summary
The vulnerability is a resource-exhaustion condition in Absinthe's SDL parsing pipeline. Several Blueprint.Draft.convert/2 implementations convert attacker-controlled identifiers into atoms via String.to_atom/1. Since BEAM atoms are permanent and the atom table has a hard limit, an attacker can supply enough unique names in GraphQL SDL to exhaust the table and crash the Erlang VM. The CNA and NVD records classify the weakness as CWE-770 and the impact as high availability loss.
Defensive priority
High. This is a remote unauthenticated availability impact with a straightforward trigger condition whenever untrusted SDL reaches Absinthe's parser. Systems that accept user-supplied SDL or remote federation content should be prioritized for upgrade and input-path review.
Recommended defensive actions
- Upgrade Absinthe to 1.10.2 or later.
- Audit all code paths that parse GraphQL SDL to confirm they do not accept attacker-controlled documents without strict validation or gating.
- If SDL ingestion is required, restrict it to trusted administrators or authenticated workflows and add size/complexity limits before parsing.
- Review application monitoring and crash handling for BEAM node aborts tied to atom table exhaustion.
- Use the official GitHub advisory and CNA record as the remediation references for affected and fixed versions.
Evidence notes
The impact, affected version range, and root cause are taken from the supplied CVE description and official references. The CNA record and GitHub security advisory identify the issue in Absinthe's SDL language modules, and the linked commit is the remediation reference. NVD lists the record as published on 2026-05-08 and modified on 2026-05-09.
Official resources
-
CVE-2026-42793 CVE record
CVE.org
-
CVE-2026-42793 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Publicly disclosed in the official CNA and NVD records on 2026-05-08, with the record modified on 2026-05-09.