CVE-2026-8469
published 2026-05-20CVE-2026-8469: Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom…
PriorityP350high8.2CVSS 4.0
AVNACLATPPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.54%
41.1th percentile
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.
Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.
This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phenixdigital | phoenix_storybook | >= 0.2.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= 0.2.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= 0228669d55c23a754d1ef11f49a32121129d5395 < 96d524690af0fe197a49f60d18e564a620b9ef81 | 96d524690af0fe197a49f60d18e564a620b9ef81 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
ghsa·2026-06-09
CVE-2026-8469 [HIGH] CWE-770 PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
### Summary
An attacker who can deliver `psb-assign`, `psb-toggle`, `psb-set-theme`, `upper-tab-navigation`, `lower-tab-navigation`, `playground-change`, or `playground-toggle` LiveView events to a mounted Phoenix Storybook playground can flood the BEAM atom table with attacker-controlled strings, permanently leaking atoms until the VM hits its ~1,048,576 atom ceiling and crashes the entire node. No authentication is required beyond being able to reach the storybook route.
Tabs parsing was introduced in https://github.com/phenixdigital/phoenix_storybook/commit/0228669d55c23a754d1ef11f49a32121129d5395
### Details
`PhoenixStorybook.Story.Playground` and `PhoenixStorybook.ExtraAssignsHelpers` converts use
VulDB
phenixdigital phoenix_storybook up to 1.0.x attr allocation of resources
vuldb·2026-05-20·CVSS 8.2
CVE-2026-8469 [HIGH] phenixdigital phoenix_storybook up to 1.0.x attr allocation of resources
A vulnerability, which was classified as problematic, was found in phenixdigital phoenix_storybook up to 1.0.x. This vulnerability affects unknown code. The manipulation of the argument attr results in allocation of resources.
This vulnerability is cataloged as CVE-2026-8469. The attack may be launched remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cna.erlef.org/cves/CVE-2026-8469.htmlhttps://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929qhttps://osv.dev/vulnerability/EEF-CVE-2026-8469https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q
2026-05-20
Published