CVE-2026-8469: CWE-770 Allocation of Resources Without Limits or Throttling in phenixdigital phoenix_storybook
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-8469) in phenixdigital phoenix_storybook (versions before 1.1.0) is due to unsafe conversion of user-controlled strings to BEAM atoms in multiple LiveView event handlers without validation or throttling. The functions involved intern atoms from user input parameters such as psb-assign map keys, psb-toggle event attributes, variation_id elements, and raw string values for attributes declared as :atom or :boolean. Because BEAM atoms are not garbage-collected, an attacker can exhaust the atom table by supplying many unique strings, causing the BEAM node to abort and resulting in denial-of-service. The vulnerability has a CVSS 4.0 score of 8.2 (high severity) and affects version 0.2.0 of phoenix_storybook. No patch or official remediation is currently documented.
Potential Impact
An unauthenticated attacker can cause a denial-of-service condition by exhausting the BEAM atom table through repeated submission of unique strings that are converted to atoms. This leads to the BEAM node aborting, which crashes all applications running on that node. This impacts availability severely but does not indicate direct code execution or data disclosure from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to vulnerable endpoints or implementing rate limiting on inputs that lead to atom creation. Avoid exposing the vulnerable LiveView event handlers to untrusted users if possible. Monitor vendor communications for updates and apply official patches once released.
CVE-2026-8469: CWE-770 Allocation of Resources Without Limits or Throttling in phenixdigital phoenix_storybook
Description
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-8469) in phenixdigital phoenix_storybook (versions before 1.1.0) is due to unsafe conversion of user-controlled strings to BEAM atoms in multiple LiveView event handlers without validation or throttling. The functions involved intern atoms from user input parameters such as psb-assign map keys, psb-toggle event attributes, variation_id elements, and raw string values for attributes declared as :atom or :boolean. Because BEAM atoms are not garbage-collected, an attacker can exhaust the atom table by supplying many unique strings, causing the BEAM node to abort and resulting in denial-of-service. The vulnerability has a CVSS 4.0 score of 8.2 (high severity) and affects version 0.2.0 of phoenix_storybook. No patch or official remediation is currently documented.
Potential Impact
An unauthenticated attacker can cause a denial-of-service condition by exhausting the BEAM atom table through repeated submission of unique strings that are converted to atoms. This leads to the BEAM node aborting, which crashes all applications running on that node. This impacts availability severely but does not indicate direct code execution or data disclosure from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to vulnerable endpoints or implementing rate limiting on inputs that lead to atom creation. Avoid exposing the vulnerable LiveView event handlers to untrusted users if possible. Monitor vendor communications for updates and apply official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-13T11:44:43.316Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0dc2e7ba1db4736284c25e
Added to database: 5/20/2026, 2:19:19 PM
Last enriched: 5/20/2026, 2:33:43 PM
Last updated: 5/20/2026, 10:35:16 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.