Description
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.

Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.

Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.

This issue affects absinthe: from 1.5.0 before 1.10.2.
Published: 2026-05-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Absinthe's GraphQL SDL parser unconstrainedly converts names from an incoming SDL document into Erlang atoms. Because atoms are immutable and never garbage collected, each unique name permanently occupies a slot in a fixed‑size table (default 1,048,576). An attacker who can supply many distinct SDL names – for instance by uploading a malicious schema or crafting federation requests – can exhaust the table, causing the Erlang VM to raise a system_limit exception and terminate the node. The resulting loss of service is complete and occurs without authentication. This flaw is identified by CWE-770.

Affected Systems

Any host using the Absinthe GraphQL library from version 1.5.0 through 1.10.1 (i.e., any release earlier than 1.10.2) is vulnerable. Applications that expose schema‑upload endpoints, federation gateways that ingest remote SDL, or development tools that parse user content can all trigger the flaw.

Risk and Exploitability

The CVSS score of 8.2 signals high severity. No EPSS data is included, so the current exploitation probability is undetermined; the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is likely remote: an unauthenticated adversary can deliver the harmful SDL to any exposed endpoint that feeds the parser. Once the atom table limit is hit, the Erlang VM aborts and the entire node shuts down, delivering a denial of service.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Absinthe release that includes the protection against atom exhaustion (≥ 1.10.2).
  • If upgrading is not immediately possible, block or sanitize user‑supplied SDL before it reaches Absinthe – for example, by validating name lengths and limiting the number of unique names.
  • Review and harden any public or semi‑public GraphQL schema‑upload or federation endpoints to restrict access to trusted users, and monitor atom table usage to detect saturation early.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 13:00:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.
Title Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
First Time appeared Absinthe-graphql
Absinthe-graphql absinthe
Weaknesses CWE-770
CPEs cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
Vendors & Products Absinthe-graphql
Absinthe-graphql absinthe
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Absinthe-graphql Absinthe
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-09T12:41:41.873Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42793

cve-icon Vulnrichment

Updated: 2026-05-08T16:09:07.595Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:12.550

Modified: 2026-05-09T13:16:42.900

Link: CVE-2026-42793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses