CVE-2026-56811

HIGHNVD 7.57.5
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.4%, top 66% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, nvd
Trending — 4 sources updated this week
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll).

This vulnerability is associated with program files lib/phoenix/socket.ex and program routine 'Elixir.Phoenix.Socket':handle_in/4.

Phoenix transports do not limit the number of channels that a single transport process may join. Every phx_join message a client sends over one connection starts a persistent channel process, and the socket process accepts an unbounded number of them. A single unauthenticated client can therefore open one WebSocket or LongPoll connection and stream a large number of phx_join messages, spawning hundreds of thousands of channel processes over that one connection and eventually reaching the BEAM maximum process limit. Once the process table is exhausted the virtual machine can no longer start new processes, denying service to legitimate traffic across the whole node. Because the amplification happens inside a single connection, network-layer connection caps and rate limiting do not mitigate it.

The fix adds a :max_channels_per_transport option (default 100) that bounds the number of channels a single transport process can join, forcing abusive clients to open many connections instead, where external load balancers and reverse proxies can throttle them.

This issue affects phoenix: from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.

CVSS v3
7.5
EG Score
7.5(medium)
EPSS
33.9%
KEV
Not listed

Published

July 7, 2026

Last Modified

July 9, 2026

Advisory Details (7)

Auto-updated Jul 7, 2026
Patch available. Sources: github, github_commit.
github_commit

commit 16e295d2fcca (phoenixframework/phoenix)

Fix landed in phoenixframework/phoenix commit 16e295d2fcca — awaiting tagged release

https://github.com/phoenixframework/phoenix/commit/16e295d2fccab185d1292322e2bee5d46c725c8a
github_commit

commit a612100cd8a4 (phoenixframework/phoenix)

Fix landed in phoenixframework/phoenix commit a612100cd8a4 — awaiting tagged release

https://github.com/phoenixframework/phoenix/commit/a612100cd8a4279091abc1a2ef8fb98a6d01c0a1
github_commit

commit d19ca0a8d9f8 (phoenixframework/phoenix)

Fix landed in phoenixframework/phoenix commit d19ca0a8d9f8 — awaiting tagged release

https://github.com/phoenixframework/phoenix/commit/d19ca0a8d9f82c130b7ed339b9f033433e2dea5e
github_commit

commit c498ba8cf49f (phoenixframework/phoenix)

Fix landed in phoenixframework/phoenix commit c498ba8cf49f — awaiting tagged release

https://github.com/phoenixframework/phoenix/commit/c498ba8cf49f6accbbd0c643a5340b58db891218
generic

OSV - Open Source Vulnerabilities

https://osv.dev/vulnerability/EEF-CVE-2026-56811
generic

Phoenix transports do not limit channel joins per connection, enabling process-exhaustion denial of service | Erlang Ecosystem Foundation CNA

https://cna.erlef.org/cves/CVE-2026-56811.html
github Patch Available

Unbounded channel joins per transport enables DoS over few connections · Advisory · phoenixframework/phoenix · GitHub

https://github.com/phoenixframework/phoenix/security/advisories/GHSA-6983-jfq8-485w

Affected Packages

(1 across 1 ecosystem)
Hex(1)
PackageVulnerable rangeFixed inDependents
phoenix0.11.0 ... 1.8.8 (145 versions)1.8.9

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 19× in last 7d / 19× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-12 09:23 UTCEG score recompute
  2. 2026-07-12 05:46 UTCEPSS rescore
  3. 2026-07-11 20:47 UTCEG score recompute
  4. 2026-07-11 08:27 UTCEPSS rescore
  5. 2026-07-11 08:27 UTCEPSS rescore
  6. 2026-07-11 08:11 UTCEG score recompute
  7. 2026-07-10 19:35 UTCEG score recompute
  8. 2026-07-10 06:58 UTCEG score recompute
  9. 2026-07-09 19:10 UTCEPSS rescore
  10. 2026-07-09 19:10 UTCEPSS rescore
  11. 2026-07-09 18:21 UTCEG score recompute 1.20
  12. 2026-07-09 15:53 UTCNVD updateCVSS v3 → 7.5
  13. 2026-07-09 05:43 UTCEG score recompute
  14. 2026-07-08 17:06 UTCEG score recompute
  15. 2026-07-08 15:16 UTCEPSS rescore
  16. 2026-07-08 15:16 UTCEPSS rescore
  17. 2026-07-08 04:28 UTCEG score recompute
  18. 2026-07-07 15:52 UTCEG score recompute
  19. 2026-07-07 15:51 UTCMITRE cvelistV5first tracked

Frequently asked(5)

What is CVE-2026-56811?
CVE-2026-56811 is a high vulnerability published on July 7, 2026. Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll). This…
When was CVE-2026-56811 disclosed?
CVE-2026-56811 was first published in the National Vulnerability Database on July 7, 2026, with the most recent update on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-56811 actively exploited?
CVE-2026-56811 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 33.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-56811?
CVE-2026-56811 has a CVSS v3 base score of 7.5 (NVD).
How do I remediate CVE-2026-56811?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-56811, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-56811

Explore →

Is Your Infrastructure Affected by CVE-2026-56811?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.