mediumCVE-2026-56812

CVE-2026-56812 Phoenix Framework vulnerability

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.

ProductPhoenix Framework
CVSS6.3
EPSS0.00354
UpdatedJuly 12, 2026

Quick answer

Phoenix Framework should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • >=1.2.0-rc.0 <1.5.15
  • >=1.6.0-rc.0 <1.6.17
  • >=1.7.0-rc.0 <1.7.24
  • >=1.8.0-rc.0 <1.8.9

Fixed versions

  • 1.5.15
  • 1.6.17
  • 1.7.24
  • 1.8.9

How to fix it

CVE-2026-56812 affects Phoenix Framework applications where the Phoenix Presence JavaScript client can repeatedly throw on attacker-controlled presence keys matching Object.prototype member names, breaking sync for viewers of the topic. Prioritize applications with reachable Phoenix Channels, WebSocket, LongPoll, or Presence topics because the practical impact is denial of service against users or the BEAM node. Update Phoenix to 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release on the active branch, and redeploy server and JavaScript assets where applicable. Until patched, reduce exposure by validating channel and presence inputs, limiting channel joins, and placing application-level rate limits around reachable transports.

  1. Inventory Phoenix applications, Hex package versions, deployed JavaScript assets, WebSocket transports, LongPoll transports, and channel topics exposed to users.
  2. Identify affected Phoenix versions and plan an upgrade to 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release for the deployed branch.
  3. Update the Phoenix dependency, rebuild assets, redeploy releases, and restart application nodes through the normal rollout process.
  4. Set safe transport and channel limits where supported, and validate channel topics, presence keys, and user-controlled identifiers before tracking them.
  5. Add reverse proxy and application monitoring for abnormal channel join rates, repeated reconnects, presence sync failures, and BEAM process exhaustion signals.
  6. Review logs and telemetry for crafted phx_join bursts, unusual presence keys, client-side TypeErrors, or sustained channel-topic failures.
  7. If service degradation occurred, capture telemetry, block abusive clients, rotate affected sessions where needed, and document capacity impact before cleanup.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm each Phoenix deployment reports a fixed dependency version: 1.5.15, 1.6.17, 1.7.24, and 1.8.9, or a later supported release.
  • Confirm the deployed Phoenix JavaScript assets use own-property checks for presence keys and malicious prototype-member keys no longer break presence sync.
  • Confirm WebSocket and LongPoll endpoints remain functional for legitimate clients while abusive joins or malformed presence keys are rejected or bounded.
  • Review BEAM process counts, channel telemetry, browser console errors, and application logs after deployment for recurring denial-of-service indicators.
  • Document package versions, asset hashes, transport limits, tests performed, and monitoring evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-56812?

Phoenix Framework versions listed as affected should be reviewed: >=1.2.0-rc.0 <1.5.15, >=1.6.0-rc.0 <1.6.17, >=1.7.0-rc.0 <1.7.24, >=1.8.0-rc.0 <1.8.9.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.