PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56811 phoenixframework CVE debrief

A vulnerability in the Phoenix framework's Socket module allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll). The vulnerability is due to the lack of limits on the number of channels that a single transport process may join, allowing an attacker to spawn hundreds of thousands of channel processes and eventually reach the BEAM maximum process limit, denying service to legitimate traffic across the whole node.

Vendor
phoenixframework
Product
phoenix
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Phoenix framework versions from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9 should be aware of this vulnerability and take necessary actions to protect their applications.

Technical summary

The Phoenix framework's Socket module has a vulnerability that allows an unauthenticated attacker to cause a denial of service. The vulnerability is caused by the lack of limits on the number of channels that a single transport process may join. An attacker can exploit this vulnerability by sending a large number of phx_join messages over one connection, spawning hundreds of thousands of channel processes and eventually reaching the BEAM maximum process limit. The fix adds a :max_channels_per_transport option (default 100) that bounds the number of channels a single transport process can join.

Defensive priority

High

Recommended defensive actions

  • Update Phoenix framework to version 1.5.15 or later, 1.6.17 or later, 1.7.24 or later, or 1.8.9 or later
  • Implement rate limiting and connection caps at the network layer
  • Monitor and track channel processes to detect potential abuse
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T16:16:40.710Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the specific details of this vulnerability, and defenders should verify the affected scope and severity based on the official advisory or CVE record. The vulnerability affects phoenix framework versions from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9. Users should review the official advisory for more information and take necessary actions to protect their applications.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T16:16:40.710Z and has not been modified since then.