← All news

Wednesday 15 July 2026 · Josh Price

A busy month for BEAM security advisories

Since our last CNA write-up the Erlang Ecosystem Foundation CNA has been busy: roughly two dozen CVEs in the last month, several in packages almost every Elixir web app depends on. Below they're grouped by package and ordered by severity (CVSS), worst first, with the version to upgrade to. If you do one thing, run mix hex.audit.

ueberauth_apple

  • CVE-2026-55954 CRITICAL 9.1: the JWT signature is checked but ID-token claims aren't, so any Apple-signed token bearing a victim's identifier can be replayed for account takeover.

    Fix Upgrade ueberauth_apple to 0.6.2. Patch this today if you offer Sign in with Apple.

phoenix

  • CVE-2026-56811 HIGH 8.7: no per-connection channel-join limit, process-exhaustion DoS from a single unauthenticated connection.

  • CVE-2026-56812 MEDIUM 6.3: Presence client crashes on prototype-key collisions in syncState/syncDiff.

    Fix Upgrade phoenix to 1.8.9 (or 1.7.24 / 1.6.17 / 1.5.15 on older branches).

mint

  • CVE-2026-56810 HIGH 8.7: buffers an entire chunked response chunk in memory.

  • CVE-2026-58229 HIGH 8.2: unbounded HTTP/1 response-header accumulation, memory-exhaustion DoS.

  • CVE-2026-59246 MEDIUM 6.3: zero-length HTTP/2 CONTINUATION frames slip past the header byte-size cap.

    Fix Upgrade mint to 1.9.2. Mint sits under Finch, Req and friends, so you may pull it in transitively.

hpax

  • CVE-2026-58226 HIGH 8.7: unbounded HPACK integer decoding, unauthenticated DoS.

    Fix Upgrade hpax to 1.0.4. Transitive via Bandit and Mint.

ssl (Erlang/OTP)

  • CVE-2026-55950 HIGH 8.7: DTLS listener crash via a race in dtls_packet_demux.

  • CVE-2026-55952 HIGH 8.2: TLS 1.3 server DoS via a malformed ClientHello pre-shared-key extension.

  • CVE-2026-54891 MEDIUM 6.3: plaintext APPLICATION_DATA injected during the TLS handshake, delivered post-handshake.

  • CVE-2026-54887 MEDIUM 6.3: DTLS cookie bypass during the startup window.

    Fix Upgrade Erlang/OTP to 29.0.3, 28.5.0.3, or 27.3.4.14 (whichever matches your branch). An OTP upgrade, not a Hex bump.

mdex

  • CVE-2026-53426 HIGH: atom-table exhaustion DoS via JSON parse_document.

  • CVE-2026-54889 MEDIUM: javascript: injection (XSS) in Quill Delta output.

  • CVE-2026-54888 MEDIUM: uncontrolled recursion over deeply nested Markdown crashes the BEAM.

  • CVE-2026-53429 MEDIUM: native memory leak in escaped-tag rendering.

  • CVE-2026-53428 MEDIUM: unbounded allocation in highlight_lines range expansion.

  • CVE-2026-53427 LOW: XSS via an unescaped highlight_lines_class code-fence attribute.

    Fix Upgrade mdex to 0.13.x (we run 0.13.3). We hit these on this very site, see the Hex 2.5 write-up.

plug

  • CVE-2026-56814 MEDIUM 6.9: multipart part headers aren't charged to the :length limit, so uploads can create unbounded temp files.

  • CVE-2026-56813 LOW 2.1: cookie attribute injection in Plug.Conn.Cookies.encode/2.

    Fix Upgrade plug to 1.20.3 (or 1.19.5 / 1.18.5 / 1.17.4 / 1.16.6 on older branches).

ssh (Erlang/OTP)

  • CVE-2026-54886 MEDIUM 5.3: SFTP server DoS via an extended channel-data infinite loop.

  • CVE-2026-53422 LOW 2.3: SFTP REALPATH path-existence oracle allows enumeration outside the configured root.

    Fix The same OTP releases as above: 29.0.3 / 28.5.0.3 / 27.3.4.14.

phoenix_live_view

postgrex

  • CVE-2026-58225 LOW 2.1: SQL injection via an unescaped dollar-quote in notification reconnect replay, causing DoS.

    Fix Upgrade postgrex to 0.22.3.

swoosh

  • CVE-2026-54893 LOW 2.1: email-derived URL path injection in the Microsoft Graph adapter, only if you derive the sender address from untrusted input.

    Fix Upgrade swoosh to 1.26.3.

What to do

  1. Run mix hex.audit. On Hex 2.5 it also flags advisories inline during mix deps.get and fails CI on a vulnerable lockfile (see the Hex 2.5 write-up).
  2. Patch worst first: the CRITICAL ueberauth_apple account-takeover, then the HIGH memory-exhaustion DoS in Phoenix, Mint, hpax and OTP ssl. Update Erlang/OTP for the ssl and ssh ones.
  3. Watch the EEF CNA advisory list.

Most of these are denial-of-service via unbounded memory, but the Apple auth bypass is a real account takeover and the LiveView issue is an XSS, so don't sit on those. The reassuring part: the ecosystem catalogues this properly now and the tooling surfaces it, so staying current is mostly a matter of running the audit and not ignoring it.