CVE-2026-32689: Phoenix: Long-poll NDJSON body splitting causes large memory allocation

📋 Vulnerability Details

🔬 Technical Analysis

#

Summary An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to allocate a large amount of memory with a HTTP request. A handful of concurrent requests can be sufficient to let the node run out of memory. See also https://cna.erlef.org/cves/CVE-2026-32689.html.

Details The unoptimised code path exists on the application/x-ndjson POST handling in the LongPoll transport. The endpoint requires only a session token, which any client can obtain by issuing a GET to the same URL with a matching Origin header, so exploitation is unauthenticated.

Impact Anyone who runs a LiveView app with a public Longpoll socket or uses a Phoenix.Socket with longpoll option.

Longpoll has been enabled for newly generated Phoenix projects since

🎯 Known Indicators of Compromise

📚 Advisory References

• https://github.com/advisories/GHSA-628h-q48j-jr6q
• https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q
• https://nvd.nist.gov/vuln/detail/CVE-2026-32689
• https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7
• https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf

🔗 Related Intelligence

• 📊 CYBERDUDEBIVASH SENTINEL APEX Intelligence Feed
• 🛡️ Detection Rules Marketplace
• 🔌 Threat Intelligence API
• 🏢 Enterprise Advisory
• 📧 Free IOC Pack Download
• 💳 API Pricing & Plans