CVE-2026-48593 describes an uncontrolled resource consumption vulnerability in oban_web, the web dashboard component for the Oban job processing library in Elixir. The flaw exists in the `Elixir.Oban.Web.CronExpr` module, specifically in how cron expressions are parsed and expanded for display. When a user with dashboard access views the cron job list, the `describe/1` function processes cron expressions [truncated]
A missing authorization check in Oban Web's job detail component allows read-only users to substitute job workers. The `handle_event/3` callback for the `save-job` event in `Elixir.Oban.Web.Jobs.DetailComponent` fails to verify user privileges via the `can?/2` function, unlike sibling handlers for cancel, delete, and retry operations. An authenticated attacker with `:read_only` access can forge a LiveView [truncated]
