CVE-2026-8469 phenixdigital CVE debrief

Who should care

Teams running phoenix_storybook in Elixir/Phoenix applications, especially if LiveView endpoints are exposed to untrusted users. SREs and application owners should care because atom-table exhaustion can terminate the entire BEAM node, affecting all workloads on that node.

Technical summary

The vulnerability is an allocation-without-limits problem (CWE-770). Multiple LiveView event handlers in PhoenixStorybook.ExtraAssignsHelpers convert user-supplied strings to atoms with String.to_atom/1: handle_set_variation_assign/3 interns each key from psb-assign, handle_toggle_variation_assign/3 interns the attr value from psb-toggle, to_variation_id/2 interns variation_id elements, and to_value/4 interns raw string values for attributes declared as :atom or :boolean. Since BEAM atoms are permanent allocations, attacker-controlled unique strings can drive the atom table toward its ceiling and abort the node.

Defensive priority

High. This is an unauthenticated, remotely triggerable availability issue with node-wide impact, and the affected component is publicly disclosed.

Recommended defensive actions

• Upgrade phoenix_storybook to 1.1.0 or later.
• Review any local forks or downstream code for String.to_atom/1 on user-controlled input.
• Replace unsafe atom conversion with allowlisted values or String.to_existing_atom/1 where appropriate.
• Add monitoring for unusual LiveView event volume and repeated unique parameter values.
• If atom-table exhaustion is suspected, treat the node as unstable and restore service from a clean restart after remediation.

Evidence notes

The CVE description states the vulnerability affects phoenix_storybook from 0.2.0 before 1.1.0 and identifies the unsafe atom conversion paths in ExtraAssignsHelpers. The official source set includes the ERLEF CNA record, an upstream GitHub commit, the GitHub security advisory, and an OSV entry. NVD metadata marks the record as Deferred and classifies the weakness as CWE-770.

Official resources