{"id":"EEF-CVE-2026-8469","summary":"Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook","details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the \"attr\" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of \"variation_id\"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\n\nThis issue affects phoenix_storybook from 0.2.0 before 1.1.0.\n\n## Configuration\n\nPhoenix Storybook must be mounted on a network-reachable route.","aliases":["CVE-2026-8469","GHSA-833p-95jq-929q"],"modified":"2026-05-20T13:56:23.185014232Z","published":"2026-05-20T13:35:27.914Z","database_specific":{"cpe_ids":["cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-130"],"cwe_ids":["CWE-770"]},"references":[{"type":"ADVISORY","url":"https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8469.html"},{"type":"FIX","url":"https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"},{"type":"PACKAGE","url":"https://hex.pm/packages/phoenix_storybook"}],"affected":[{"package":{"name":"phoenix_storybook","ecosystem":"Hex","purl":"pkg:hex/phoenix_storybook"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.2.0"},{"fixed":"1.1.0"}]}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.2","0.8.3","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8469.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/phenixdigital/phoenix_storybook","events":[{"introduced":"0228669d55c23a754d1ef11f49a32121129d5395"},{"fixed":"96d524690af0fe197a49f60d18e564a620b9ef81"}]}],"versions":["v1.0.0","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.3","v0.8.1","v0.7.2","v0.7.1","v0.7.0","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.5","v0.4.4","v0.4.3","v0.4.2","v0.4.1","v0.4.0","v0.3.0","v0.2.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8469.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Christian Blavier","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}]}