https://feed.craftedsignal.io/tags/resource-exhaustion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 19:16:02 +0000https://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/Mon, 04 May 2026 19:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.The Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the Wpcf7cfMailParser class. The hide_hidden_mail_fields_regex_callback() method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple preg_replace() operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.

Attack Chain

1. An unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.
2. The attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.
3. The POST request includes a large integer value for the iteration count parameter, which is passed directly to the hide_hidden_mail_fields_regex_callback() method.
4. The hide_hidden_mail_fields_regex_callback() method, lacking input validation, reads the attacker-controlled integer.
5. The method initiates an unbounded loop, performing preg_replace() operations based on the attacker-supplied iteration count.
6. Each preg_replace() operation consumes server memory.
7. The excessive number of iterations rapidly exhausts available server memory.
8. The PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.

Recommendation

• Upgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.
• Deploy the Sigma rule Detect Contact Form 7 Uncontrolled Resource Consumption Attempt to your SIEM to detect malicious POST requests targeting the WordPress REST API.
• Monitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.

]]>mediumadvisorywordpressresource-exhaustiondenial-of-servicecve-2026-25863https://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.OpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw’s functionality.

Attack Chain

1. An unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.
2. The attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.
3. The attacker sends the malicious webhook payload to the OpenClaw endpoint.
4. OpenClaw receives the webhook request and begins parsing the request body before JWT validation.
5. The malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.
6. The parsing process exhausts available server resources.
7. OpenClaw becomes unresponsive or crashes due to resource exhaustion.
8. Legitimate MS Teams webhook requests are no longer processed, leading to a denial of service.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.
• Implement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.
• Monitor web server logs (category webserver, product linux) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.
• Deploy the Sigma rule Detect High Number of Requests to Teams Webhook to identify potential exploitation attempts.

]]>mediumadvisoryresource-exhaustionwebhookcve-2026-41405https://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/Wed, 22 Apr 2026 08:16:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/A vulnerability exists in Progress Telerik UI for AJAX prior to 2026.1.421, RadAsyncUpload, due to missing cumulative size enforcement during chunk reassembly, which allows file uploads to exceed the configured maximum size, leading to disk space exhaustion.Progress Telerik UI for AJAX, a suite of UI components for ASP.NET AJAX, contains an uncontrolled resource consumption vulnerability within the RadAsyncUpload component. This vulnerability, identified as CVE-2026-6022, affects versions prior to 2026.1.421. The vulnerability stems from a failure to properly enforce maximum file size limits during the reassembly of file chunks uploaded via the RadAsyncUpload component. An unauthenticated attacker could exploit this vulnerability by uploading a large file in chunks, bypassing the configured maximum file size restriction. Successful exploitation leads to excessive disk space consumption on the server, potentially causing denial of service.

Attack Chain

1. The attacker identifies a web application using a vulnerable version of Progress Telerik UI for AJAX with the RadAsyncUpload component enabled.
2. The attacker crafts an HTTP request to initiate a file upload to the RadAsyncUpload endpoint.
3. The attacker splits the malicious file into multiple chunks, each smaller than the initially configured maximum upload size limit.
4. The attacker sends each chunk to the server using separate HTTP requests to the RadAsyncUpload endpoint.
5. The server receives the chunks and stores them temporarily, without enforcing the cumulative file size.
6. Once all chunks are uploaded, the RadAsyncUpload component reassembles the file.
7. Due to the missing cumulative size check, the reassembled file exceeds the maximum allowed file size.
8. The server stores the complete, oversized file, leading to disk space exhaustion.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition due to disk space exhaustion. The number of affected systems depends on the usage of the vulnerable Telerik UI for AJAX RadAsyncUpload component. Organizations in any sector using the affected Telerik component are potentially vulnerable. If successful, the attack can cause application downtime, data loss, and require administrative intervention to restore service.

Recommendation

• Upgrade Progress Telerik UI for AJAX to version 2026.1.421 or later to patch CVE-2026-6022.
• Implement server-side monitoring for excessive disk space usage in directories associated with RadAsyncUpload temporary file storage.
• Deploy the Sigma rule DetectSuspiciousRadAsyncUploadChunks to detect potential exploitation attempts.
• Review and harden file upload size limits to prevent resource exhaustion, as described in the Telerik documentation referenced.

]]>highadvisorycve-2026-6022telerikresource-exhaustionhttps://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/Fri, 17 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.Meridian versions before 2.1.1 contain multiple vulnerabilities stemming from defense-in-depth gaps within the Meridian.Mapping and Meridian.Mediator components. Two high-severity issues involve bypassing the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps, particularly when using the IMapper.Map(source, destination) overload or .UseDestinationValue() on collection-typed properties. These flaws can lead to resource exhaustion. Additional medium-severity issues include constructor invariant bypass, OpenTelemetry stack-trace information disclosure, retry amplification, and notification fan-out amplification. The vulnerabilities were patched in version 2.1.1, released on April 16, 2026. The issues affect applications using the Meridian library for object-object mapping and mediation. Successful exploitation could lead to denial-of-service conditions, information disclosure, and unexpected application behavior.

Attack Chain

1. An attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.
2. The application’s mapping logic utilizes IMapper.Map(source, destination) or .UseDestinationValue() on a collection property, triggering the vulnerable code path.
3. The MappingEngine.TryMapCollectionOntoExisting method processes the collection without enforcing DefaultMaxCollectionItems, leading to excessive memory consumption.
4. Collection-item recursion fails to increment ResolutionContext.Depth, allowing self-referential graphs to bypass DefaultMaxDepth and cause a stack overflow.
5. The unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.
6. Alternatively, an attacker exploits the ObjectCreator.CreateWithConstructorMapping vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.
7. The application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.

Impact

Successful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the Meridian.Mapping and Meridian.Mediator libraries.

Recommendation

• Immediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the v2.1.1 CHANGELOG.
• For applications that cannot be immediately upgraded, avoid using mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members as a temporary workaround.
• Implement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the Workarounds section of this brief.
• Consider disabling OpenTelemetry exception.stacktrace tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.

]]>highadvisorydefense-in-depthresource-exhaustioninformation-disclosuredotnethttps://feed.craftedsignal.io/briefs/2026-04-praisonai-websocket-vuln/Thu, 09 Apr 2026 22:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-praisonai-websocket-vuln/PraisonAI before version 4.5.128 is vulnerable to resource exhaustion and API credit draining due to the `/media-stream` WebSocket endpoint accepting unauthenticated connections, allowing attackers to exhaust server resources and drain OpenAI API credits.PraisonAI, a multi-agent teams system, contains a vulnerability in versions prior to 4.5.128 that exposes the /media-stream WebSocket endpoint in its call module. This endpoint lacks authentication or Twilio signature validation, allowing any client to establish a connection. Each successful connection initiates an authenticated session to OpenAI’s Realtime API, utilizing the server’s API key. Due to the absence of rate limits, connection limits, or message size restrictions, a malicious actor can exploit this vulnerability by creating numerous concurrent connections. This can lead to the exhaustion of server resources and a significant drain on the victim’s OpenAI API credits. This vulnerability is addressed and patched in version 4.5.128.

Attack Chain

1. Attacker identifies a PraisonAI instance running a vulnerable version (prior to 4.5.128).
2. Attacker establishes a WebSocket connection to the /media-stream endpoint of the PraisonAI instance without providing any authentication credentials.
3. The PraisonAI server, upon receiving the unauthenticated WebSocket connection, creates an authenticated session with the OpenAI Realtime API using its own API key.
4. Attacker sends a large volume of messages through the WebSocket connection, exploiting the lack of message rate limits.
5. Attacker initiates multiple concurrent WebSocket connections to the /media-stream endpoint.
6. The PraisonAI server becomes overloaded due to the excessive number of connections and message processing demands.
7. The victim’s OpenAI API credits are rapidly depleted as the PraisonAI server processes requests from the attacker’s connections.
8. The PraisonAI server experiences degraded performance or becomes completely unresponsive, impacting legitimate users.

Impact

Successful exploitation of this vulnerability results in resource exhaustion on the PraisonAI server, potentially causing denial of service for legitimate users. Furthermore, it leads to the unauthorized consumption of the victim’s OpenAI API credits, resulting in unexpected charges and potential disruption of services reliant on the OpenAI API. The number of affected organizations depends on the prevalence of vulnerable PraisonAI instances deployed.

Recommendation

• Upgrade PraisonAI installations to version 4.5.128 or later to patch CVE-2026-40116.
• Implement rate limiting on WebSocket connections to the /media-stream endpoint to mitigate resource exhaustion.
• Monitor OpenAI API usage for unexpected spikes in activity that may indicate exploitation of this vulnerability.
• Deploy the Sigma rule DetectSuspiciousPraisonAIWebSocketConnections to identify potential exploitation attempts by detecting a high number of connections to the /media-stream endpoint.

]]>highadvisorycve-2026-40116resource-exhaustionwebsocketapi-abusecloudhttps://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/Thu, 09 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-saleor-resource-exhaustion/Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.Saleor, an e-commerce platform, is susceptible to a resource exhaustion vulnerability affecting versions 2.0.0 prior to 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. This vulnerability stems from the platform’s support for query batching, where multiple GraphQL operations can be submitted in a single HTTP request as a JSON array. The absence of an upper limit on the number of operations within a single request allows unauthenticated attackers to bypass per-query complexity limits. By sending a single HTTP request containing a massive number of GraphQL operations, an attacker can exhaust server resources, potentially leading to denial of service. The vulnerability is addressed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. Defenders must ensure they are running patched versions.

Attack Chain

1. The attacker identifies a Saleor instance running a vulnerable version (prior to 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118).
2. The attacker crafts a malicious HTTP POST request targeting the GraphQL endpoint (typically /graphql/).
3. The request body contains a JSON array representing a batch of GraphQL queries.
4. The number of GraphQL operations within the array is excessively large, designed to bypass query complexity limits.
5. The Saleor server processes the HTTP request, attempting to execute all GraphQL operations within the batch.
6. Due to the large number of operations, the server’s resources (CPU, memory) become heavily utilized.
7. The server becomes slow or unresponsive to legitimate user requests, causing a denial-of-service condition.
8. The attacker repeats the process to maintain the denial-of-service state, impacting legitimate users.

Impact

Successful exploitation of this vulnerability results in resource exhaustion on the Saleor e-commerce platform. This can lead to slow response times, application instability, and ultimately a denial-of-service condition for legitimate users. This vulnerability poses a significant risk to e-commerce businesses relying on Saleor, potentially impacting sales, customer satisfaction, and overall business operations. The number of potential victims is directly proportional to the number of Saleor installations running vulnerable versions.

Recommendation

• Upgrade Saleor instances to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 or later to patch CVE-2026-33756.
• Deploy the Sigma rule Detect High Volume of GraphQL Queries to identify potential exploitation attempts by monitoring the number of GraphQL queries within a single HTTP request in web server logs.
• Monitor web server logs for abnormally large HTTP POST requests to the /graphql/ endpoint.
• Implement rate limiting on the GraphQL endpoint to restrict the number of requests from a single IP address within a defined timeframe.

]]>mediumadvisoryresource-exhaustiongraphqlcve-2026-33756doshttps://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/Wed, 08 Apr 2026 19:25:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-saleor-graphql-exhaustion/A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.CVE-2026-35401 details a resource exhaustion vulnerability affecting the Saleor e-commerce platform. Present in versions 2.0.0 up to, but not including, 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the flaw allows an unauthenticated, remote attacker to exhaust server resources. This is achieved by sending a single API call containing numerous GraphQL mutations or queries, leveraging aliases or chaining techniques. The excessive processing load induced by these malicious requests can lead to a denial-of-service (DoS) condition. Organizations using vulnerable Saleor versions are at risk of service disruption, potentially impacting business operations and revenue. Mitigation involves upgrading to the patched versions: 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118.

Attack Chain

1. The attacker identifies a Saleor e-commerce platform running a vulnerable version (2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118).
2. The attacker crafts a malicious GraphQL query or mutation containing numerous aliased or chained operations. This is done to maximize server-side processing load.
3. The attacker sends the crafted GraphQL request to the Saleor platform’s API endpoint, typically /graphql/.
4. The Saleor server attempts to process all the queries/mutations within the single request.
5. The server resources (CPU, memory, database connections) are rapidly consumed by the excessive processing demand.
6. The server becomes slow and unresponsive, potentially timing out for legitimate user requests.
7. The Saleor e-commerce platform experiences a denial-of-service condition, disrupting service for legitimate customers.
8. The attacker may repeat this process to maintain the denial-of-service state, further impacting business operations.

Impact

Successful exploitation of CVE-2026-35401 leads to resource exhaustion on the Saleor e-commerce platform, resulting in a denial-of-service condition. This disruption can impact online sales, customer experience, and brand reputation. The number of affected systems depends on the prevalence of vulnerable Saleor installations. While the exact number of victims is unknown, any e-commerce business using an unpatched version is susceptible to service outages. Prolonged or repeated attacks can lead to significant financial losses and damage to business operations.

Recommendation

• Immediately upgrade Saleor e-commerce platforms to versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to patch CVE-2026-35401.
• Implement rate limiting on the /graphql/ API endpoint to mitigate the impact of excessive requests.
• Deploy the Sigma rule Detect Suspicious GraphQL Volume to identify potential exploitation attempts based on request patterns.

]]>mediumadvisorycve-2026-35401graphqlresource-exhaustiondenial-of-servicesaleor