PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48593 oban-bg CVE debrief

CVE-2026-48593 describes an uncontrolled resource consumption vulnerability in oban_web, the web dashboard component for the Oban job processing library in Elixir. The flaw exists in the `Elixir.Oban.Web.CronExpr` module, specifically in how cron expressions are parsed and expanded for display. When a user with dashboard access views the cron job list, the `describe/1` function processes cron expressions through `parse_range/1`, which parses range endpoints without bounds validation. The downstream helpers `expand_dom_parts/1` and `expand_dow_parts/1` then materialize these ranges eagerly using `Enum.to_list/1`. A malicious actor with permission to schedule cron jobs can submit an expression such as `0 0 1-100000000 * *`, triggering allocation of approximately 2.4 GB of memory and causing the BEAM node to stall or crash. Notably, a sibling helper `extract_dom_values` already implements range bounds checking, but the expansion helpers do not, indicating an incomplete fix pattern. The vulnerability affects oban_web versions from 2.12.0 through 2.12.4. The CVSS 4.0 vector indicates network attack vector, low attack complexity, privileged access required, and user interaction required, with high availability impact. The CWE-400 classification confirms uncontrolled resource consumption. A patch is available in version 2.12.5.

Vendor
oban-bg
Product
oban_web
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Organizations running oban_web versions 2.12.0-2.12.4 with multi-user dashboard access; Elixir/Phoenix applications using Oban's cron scheduling with non-admin job creators; teams with memory-constrained BEAM deployments; security-conscious shops seeking to prevent DoS via resource exhaustion

Technical summary

The vulnerability stems from missing bounds validation in `parse_range/1` within `Elixir.Oban.Web.CronExpr`. When rendering cron expressions for dashboard display, range endpoints are parsed via `Integer.parse/1` without maximum value checks. The expansion helpers `expand_dom_parts/1` and `expand_dow_parts/1` subsequently call `Enum.to_list/1` on the parsed range, causing eager allocation of a list containing all integers in the range. An expression like `0 0 1-100000000 * *` generates a 100-million-element list, consuming ~2.4 GB RAM. The `extract_dom_values` helper already validates range bounds, suggesting the fix pattern exists but was not applied consistently. The attack requires: (1) ability to schedule cron jobs (PR:L), and (2) a dashboard user to view the job list (UI:P). The BEAM's per-process heap isolation limits blast radius to the rendering process, but node-wide garbage collection pauses and memory pressure can cause cascading failures.

Defensive priority

medium

Recommended defensive actions

  • Upgrade oban_web to version 2.12.5 or later to obtain the bounds-checking fix for cron range expansion
  • Review and audit existing cron job schedules for maliciously constructed range expressions, particularly those with unusually large numeric ranges
  • Implement input validation at the application layer for cron expressions before they reach the Oban scheduling system, enforcing reasonable bounds on range endpoints
  • Monitor BEAM node memory usage and set appropriate resource limits to contain potential denial-of-service impacts from similar resource exhaustion issues
  • Restrict permissions for cron job scheduling to trusted administrative users only, as the vulnerability requires privileged access to exploit
  • Consider implementing circuit breakers or timeouts for dashboard rendering operations that process user-contributed cron expressions

Evidence notes

CVE description confirms affected versions 2.12.0 before 2.12.5. GitHub commit 9998b7e284e02fdd4645dd6231760038e63b584d provides patch evidence. GitHub Security Advisory GHSA-6xh2-93p9-vqh4 documents the issue. Erlef CNA record provides authoritative vulnerability details. OSV entry EEF-CVE-2026-48593 corroborates. CVSS 4.0 vector from NVD source: AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. CWE-400 weakness classification confirmed.

Official resources

2026-05-26