Phoenix Long-Poll Transport Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the long-poll transport mechanism of the Phoenix framework. This vulnerability, designated as CVE-2026-32689, allows an unauthenticated remote attacker to cause a significant memory allocation on the server by sending malicious HTTP requests. The flaw stems from an unoptimized code path in the application/x-ndjson POST handling within the LongPoll transport. Since obtaining a session token requires only a GET request with a matching Origin header, exploitation is unauthenticated. This issue has been present in newly generated Phoenix projects since version 1.7.11, potentially exposing a wide range of applications to denial-of-service attacks. The affected versions are Phoenix versions >= 1.7.0 and < 1.7.22, as well as >= 1.8.0 and < 1.8.6.

Attack Chain

1. Attacker sends an HTTP GET request to the long-poll endpoint with a valid Origin header.
2. The server responds with a session token.
3. Attacker sends multiple concurrent HTTP POST requests with the application/x-ndjson content type to the long-poll endpoint, including the session token.
4. The server receives the POST requests and processes them through the unoptimized code path in the LongPoll transport.
5. The server allocates a large amount of memory for each request due to the NDJSON body splitting.
6. The memory consumption increases rapidly as the attacker sends more requests.
7. The server’s memory resources are exhausted, leading to a denial-of-service condition.
8. Legitimate users are unable to access the application due to the server’s unavailability.

Impact

Successful exploitation of this vulnerability can lead to a complete denial-of-service, rendering Phoenix-based applications unresponsive. Applications using LiveView with public Longpoll sockets or Phoenix.Socket with the longpoll option are vulnerable. Because longpoll has been enabled by default in Phoenix projects since version 1.7.11, many applications are likely affected. The impact is a temporary outage, potentially leading to data loss or service disruption.

Recommendation

• Upgrade to Phoenix version 1.7.22 or 1.8.6 or later to patch CVE-2026-32689 and mitigate the denial-of-service vulnerability.
• Deploy the Sigma rule “Detect CVE-2026-32689 Exploitation Attempt — High Volume NDJSON POST Requests” to identify potential exploitation attempts by monitoring for a high volume of application/x-ndjson POST requests to the long-poll endpoint.
• Monitor web server logs for an unusual number of POST requests with the application/x-ndjson content type, looking for potential indicators of exploitation.