CVE-2026-48593: CWE-400 Uncontrolled Resource Consumption in oban-bg oban_web
CVE-2026-48593 is an uncontrolled resource consumption vulnerability in the oban_web component of oban-bg, specifically in the Elixir. Oban. Web. CronExpr modules. It allows an attacker with permission to schedule cron jobs to submit a maliciously large cron range expression, which when rendered in the dashboard causes excessive memory allocation (~2. 4 GB) and can stall or crash the BEAM node. This affects oban_web versions from 2. 12. 0 before 2. 12.
AI Analysis
Technical Summary
The vulnerability arises from the lack of bounds checking in the parse_range/1 function used by the describe/1 function in Elixir.Oban.Web.CronExpr. An attacker can submit a cron expression with an extremely large range (e.g., "0 0 1-100000000 * *"), which is eagerly expanded into a large list via Enum.to_list/1, causing uncontrolled memory consumption and potential denial of service. Although a related helper function extract_dom_values performs range validation, the expansion helpers do not, leading to this flaw. The issue affects oban_web versions starting at 2.12.0 up to but not including 2.12.5.
Potential Impact
Successful exploitation can cause the BEAM node running oban_web to stall or crash due to memory exhaustion from unbounded cron range expansion. This results in denial of service for users relying on the oban_web dashboard. The vulnerability requires the attacker to have permission to schedule cron jobs and for a user with dashboard access to view the malicious cron job list, which triggers the resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or monitor permissions to schedule cron jobs to trusted users only, and limit dashboard access to prevent triggering the resource exhaustion. Avoid viewing cron job lists containing untrusted or suspicious cron expressions.
CVE-2026-48593: CWE-400 Uncontrolled Resource Consumption in oban-bg oban_web
Description
CVE-2026-48593 is an uncontrolled resource consumption vulnerability in the oban_web component of oban-bg, specifically in the Elixir. Oban. Web. CronExpr modules. It allows an attacker with permission to schedule cron jobs to submit a maliciously large cron range expression, which when rendered in the dashboard causes excessive memory allocation (~2. 4 GB) and can stall or crash the BEAM node. This affects oban_web versions from 2. 12. 0 before 2. 12.
CVSS v4.0
Score 5.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the lack of bounds checking in the parse_range/1 function used by the describe/1 function in Elixir.Oban.Web.CronExpr. An attacker can submit a cron expression with an extremely large range (e.g., "0 0 1-100000000 * *"), which is eagerly expanded into a large list via Enum.to_list/1, causing uncontrolled memory consumption and potential denial of service. Although a related helper function extract_dom_values performs range validation, the expansion helpers do not, leading to this flaw. The issue affects oban_web versions starting at 2.12.0 up to but not including 2.12.5.
Potential Impact
Successful exploitation can cause the BEAM node running oban_web to stall or crash due to memory exhaustion from unbounded cron range expansion. This results in denial of service for users relying on the oban_web dashboard. The vulnerability requires the attacker to have permission to schedule cron jobs and for a user with dashboard access to view the malicious cron job list, which triggers the resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or monitor permissions to schedule cron jobs to trusted users only, and limit dashboard access to prevent triggering the resource exhaustion. Avoid viewing cron job lists containing untrusted or suspicious cron expressions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-22T09:36:56.834Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16041de29bf47b505ea07f
Added to database: 5/26/2026, 8:35:41 PM
Last enriched: 5/26/2026, 8:49:09 PM
Last updated: 5/26/2026, 10:03:54 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.