This vulnerability (CVE-2026-32689) in phoenixframework phoenix involves improper handling of NDJSON request bodies in the long-poll transport's publish/4 function. Specifically, when a POST request with Content-Type application/x-ndjson is received, the body is split on newline characters without limiting the number of segments. An attacker can exploit this by sending a body composed entirely of newline bytes, causing a massive amplification in list elements that exhausts BEAM memory and schedulers, leading to a node crash and termination of all active sessions. The required session token can be obtained unauthenticated via a GET request with a matching Origin header, making the attack effectively unauthenticated. Affected versions include phoenix 1.7.0 up to but not including 1.7.22 and 1.8.6.

Successful exploitation results in denial of service by crashing the phoenix node, terminating all active sessions. The vulnerability allows unauthenticated attackers to exhaust server resources, causing service disruption. There are no indications of code execution or data breach from the provided information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is documented in the provided data. Until a patch is available, consider restricting or validating NDJSON payload sizes and monitoring for abnormal request patterns targeting the long-poll transport endpoint.