PatchSiren cyber security CVE debrief
CVE-2026-56814 elixir-plug CVE debrief
CVE-2026-56814 is a denial of service vulnerability in Plug.Parsers.MULTIPART, a multipart request-body parser used to handle file uploads and multipart forms. The parser does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The vulnerability affects any application using Plug.Parsers with the :multipart parser, and no authentication is required, only reachability of a multipart endpoint over HTTP. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM.
- Vendor
- elixir-plug
- Product
- plug
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Any application using Plug.Parsers with the :multipart parser is affected. No authentication is required, only reachability of a multipart endpoint over HTTP. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM, indicating a medium priority for applications using Plug.Parsers with the :multipart parser.
Technical summary
The Plug.Parsers.MULTIPART parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. An attacker can send a single request composed of many empty-body file parts, creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. The vulnerability affects plug versions from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.
Defensive priority
High priority for applications using Plug.Parsers with the :multipart parser due to the potential for denial of service and medium severity.
Recommended defensive actions
- Review and update Plug.Parsers.MULTIPART to version 1.16.6 or later
- Implement compensating controls to limit the number of temporary files created
- Monitor for suspicious activity and inode exhaustion
- Consider using alternative multipart parsers
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-10T12:17:24.837Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The parser's :length budget is not enforced against all consumed resources, which allows an unauthenticated remote attacker to cause denial of service. Evidence limits suggest that an attacker can send a single request composed of many empty-body file parts, leading to inode and disk exhaustion and unbounded memory growth.
Official resources
-
CVE-2026-56814 CVE record
CVE.org
-
CVE-2026-56814 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T12:17:24.837Z and has not been modified since then.