PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56814 elixir-plug CVE debrief

CVE-2026-56814 is a denial of service vulnerability in Plug.Parsers.MULTIPART, a multipart request-body parser used to handle file uploads and multipart forms. The parser does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The vulnerability affects any application using Plug.Parsers with the :multipart parser, and no authentication is required, only reachability of a multipart endpoint over HTTP. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM.

Vendor
elixir-plug
Product
plug
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Any application using Plug.Parsers with the :multipart parser is affected. No authentication is required, only reachability of a multipart endpoint over HTTP. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM, indicating a medium priority for applications using Plug.Parsers with the :multipart parser.

Technical summary

The Plug.Parsers.MULTIPART parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. An attacker can send a single request composed of many empty-body file parts, creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. The vulnerability affects plug versions from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.

Defensive priority

High priority for applications using Plug.Parsers with the :multipart parser due to the potential for denial of service and medium severity.

Recommended defensive actions

  • Review and update Plug.Parsers.MULTIPART to version 1.16.6 or later
  • Implement compensating controls to limit the number of temporary files created
  • Monitor for suspicious activity and inode exhaustion
  • Consider using alternative multipart parsers
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-10T12:17:24.837Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The parser's :length budget is not enforced against all consumed resources, which allows an unauthenticated remote attacker to cause denial of service. Evidence limits suggest that an attacker can send a single request composed of many empty-body file parts, leading to inode and disk exhaustion and unbounded memory growth.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T12:17:24.837Z and has not been modified since then.