Oban Web, Uncontrolled Resource Consumption (DoS), CVE-2026-48593 (Medium) -DC-Jun2026-759

Listen to this Post

This vulnerability, identified as CVE-2026-48593, is an uncontrolled resource consumption flaw in the `oban_web` package, a dashboard UI for the Oban job processing library in Elixir. The issue was introduced in version 2.12.0 and affects all versions up to and including 2.12.4.
The core of the problem lies in the cron expression parser, specifically within the `Elixir.Oban.Web.CronExpr` module. An attacker who has the ability to schedule cron jobs can submit a maliciously crafted expression, such as "0 0 1-100000000 ". This expression contains an extremely large numerical range (1-100000000) in the day-of-month field.
When a user with dashboard access navigates to view the list of cron jobs, the system calls the `describe/1` function to render the expression. The vulnerability is triggered in the parsing stage. The `parse_range/1` function parses the range endpoints using `Integer.parse/1` but performs no bounds checking, accepting arbitrarily large numbers.
The subsequent helpers, `expand_dom_parts/1` and expand_dow_parts/1, then eagerly materialize this range into a list using Enum.to_list/1. For the example expression, this would create a list of 100 million integers, consuming approximately 2.4 GB of memory. This massive allocation stalls or crashes the BEAM (Erlang VM) node, leading to a denial of service.
A sibling helper, extract_dom_values, already implements proper bounds validation, highlighting an inconsistency in the codebase where the expansion helpers lack similar checks. Exploitation requires no special privileges beyond the ability to schedule a cron job, and the crash is triggered passively when a dashboard user views the list.

DailyCVE Form

Platform: Oban Web
Version: 2.12.0 – 2.12.4
Vulnerability: Unbounded Range Expansion
Severity: Medium (CVSS 5.9)
Date: 2026-05-26

Prediction: 2026-06-02

What Undercode Say

The following analytics and commands are relevant to understanding and detecting this vulnerability.

Analytics:

  • Memory Spike: Sudden, massive increase in BEAM memory usage by a dashboard process.
  • Node Crash: Unexpected termination of the BEAM node, often with an `enomem` error.
  • Log Analysis: Look for cron expressions with abnormally large integer ranges (e.g., 1-999999999) in audit logs or job creation events.

Bash Commands:

  • Check Oban Web Version:
    mix list | grep oban_web
    
  • Search Logs for Suspicious Ranges:
    grep -E "[0-9]+-[0-9]{7,}" /var/log/oban/error.log
    

Elixir Code Snippet (Vulnerable Path):

lib/oban/web/cron_expr.ex (Vulnerable)
defp parse_range(<<first::bytes-size(1)>> <> _ = string) do
... no bounds check on parsed integers ...
{:range, start_val, end_val}
end

How Exploit

  1. Schedule Malicious Job: An attacker with cron scheduling access submits a job with a malicious expression like "0 0 1-100000000 ".
  2. Trigger Rendering: A user with dashboard access views the cron job list.
  3. Parse and Expand: The `describe/1` function parses the range without bounds checks. The helpers then expand the range into a list, consuming massive memory.
  4. Denial of Service: The BEAM node runs out of memory and either stalls or crashes.

Protection

  • Upgrade: The primary and most effective mitigation is to upgrade `oban_web` to version 2.12.5 or later, which includes proper bounds checking.
  • Restrict Access: Limit the ability to schedule cron jobs to only trusted administrators.
  • Monitor: Implement monitoring on BEAM memory usage to detect sudden spikes indicative of an attack.
  • Input Validation: As a temporary workaround, consider implementing a reverse proxy or application-level firewall rule to block cron expressions containing excessively large numeric ranges.

Impact

  • Availability: The primary impact is a denial of service. Successful exploitation causes the BEAM node to become unresponsive or crash entirely, taking down the application.
  • Operational Disruption: This vulnerability can be triggered by any dashboard user, making it a significant risk in multi-user environments.
  • CVSS Score: The vulnerability has a CVSS 4.0 base score of 5.9 (Medium), with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top