highCVE-2026-56811

CVE-2026-56811 Phoenix Framework vulnerability

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll). This vulnerability is associated with program files lib/phoenix/socket.ex and program routine 'Elixir.Phoenix.Socket':handle_in/4. Phoenix transports do not limit the number of channels that a single transport process may join. Every phx_join message a client sends over one connection starts a persistent channel process, and the socket process accepts an unbounded number of them. A single unauthenticated client can therefore open one WebSocket or LongPoll connection and stream a large number of phx_join messages, spawning hundreds of thousands of channel processes over that one connection and eventually reaching the BEAM maximum process limit. Once the process table is exhausted the virtual machine can no longer start new processes, denying service to legitimate traffic across the whole node. Because the amplification happens inside a single connection, network-layer connection caps and rate limiting do not mitigate it. The fix adds a :max_channels_per_transport option (default 100) that bounds the number of channels a single transport process can join, forcing abusive clients to open many connections instead, where external load balancers and reverse proxies can throttle them. This issue affects phoenix: from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.

ProductPhoenix Framework
CVSS8.7
EPSS0.00377
UpdatedJuly 12, 2026

Quick answer

Phoenix Framework should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • >=0.11.0 <1.5.15
  • >=1.6.0-rc.0 <1.6.17
  • >=1.7.0-rc.0 <1.7.24
  • >=1.8.0-rc.0 <1.8.9

Fixed versions

  • 1.5.15
  • 1.6.17
  • 1.7.24
  • 1.8.9

How to fix it

CVE-2026-56811 affects Phoenix Framework applications where Phoenix.Socket can allow one transport connection to join an unbounded number of channels, exhausting BEAM processes and denying service across the node. Prioritize applications with reachable Phoenix Channels, WebSocket, LongPoll, or Presence topics because the practical impact is denial of service against users or the BEAM node. Update Phoenix to 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release on the active branch, and redeploy server and JavaScript assets where applicable. Until patched, reduce exposure by validating channel and presence inputs, limiting channel joins, and placing application-level rate limits around reachable transports.

  1. Inventory Phoenix applications, Hex package versions, deployed JavaScript assets, WebSocket transports, LongPoll transports, and channel topics exposed to users.
  2. Identify affected Phoenix versions and plan an upgrade to 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release for the deployed branch.
  3. Update the Phoenix dependency, rebuild assets, redeploy releases, and restart application nodes through the normal rollout process.
  4. Set safe transport and channel limits where supported, and validate channel topics, presence keys, and user-controlled identifiers before tracking them.
  5. Add reverse proxy and application monitoring for abnormal channel join rates, repeated reconnects, presence sync failures, and BEAM process exhaustion signals.
  6. Review logs and telemetry for crafted phx_join bursts, unusual presence keys, client-side TypeErrors, or sustained channel-topic failures.
  7. If service degradation occurred, capture telemetry, block abusive clients, rotate affected sessions where needed, and document capacity impact before cleanup.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm each Phoenix deployment reports a fixed dependency version: 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release.
  • Confirm max_channels_per_transport is available and enforced, with a safe configured limit for every reachable WebSocket and LongPoll transport.
  • Confirm WebSocket and LongPoll endpoints remain functional for legitimate clients while abusive joins or malformed presence keys are rejected or bounded.
  • Review BEAM process counts, channel telemetry, browser console errors, and application logs after deployment for recurring denial-of-service indicators.
  • Document package versions, asset hashes, transport limits, tests performed, and monitoring evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-56811?

Phoenix Framework versions listed as affected should be reviewed: >=0.11.0 <1.5.15, >=1.6.0-rc.0 <1.6.17, >=1.7.0-rc.0 <1.7.24, >=1.8.0-rc.0 <1.8.9.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.