CVE-2026-56812
Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff
Description
Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
INFO
Published Date :
July 7, 2026, 4:16 p.m.
Last Modified :
July 7, 2026, 5:16 p.m.
Remotely Exploit :
Yes !
Source :
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 4.0 | MEDIUM | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | ||||
| CVSS 4.0 | MEDIUM | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db |
Solution
- Update phoenix to version 1.5.15 or later.
- Update phoenix to version 1.6.17 or later.
- Update phoenix to version 1.7.24 or later.
- Update phoenix to version 1.8.9 or later.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-56812.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-56812 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-56812
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-56812 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-56812 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Jul. 07, 2026
Action Type Old Value New Value Changed Affected [{'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:hex/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://repo.hex.pm', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:npm/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://registry.npmjs.org', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'changes': [{'at': '7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8', 'status': 'unaffected'}, {'at': '89a1c4be161e436241e12b2378a719904b9bd96f', 'status': 'unaffected'}, {'at': 'b90b22521465ece00eb5a19d5aa2b9465b209c85', 'status': 'unaffected'}, {'at': 'beffc4da1e787e572121f68902c63daf4fe7d9c2', 'status': 'unaffected'}], 'version': '2270aaf21bd02c6a6a1022820564efb605a97655', 'lessThan': '*', 'versionType': 'git'}], 'packageURL': 'pkg:github/phoenixframework/phoenix', 'packageName': 'phoenixframework/phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://github.com', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}] [{'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0-rc.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0-rc.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0-rc.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0-rc.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:hex/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://repo.hex.pm', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0-rc.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0-rc.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0-rc.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0-rc.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:npm/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://registry.npmjs.org', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'changes': [{'at': '7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8', 'status': 'unaffected'}, {'at': '89a1c4be161e436241e12b2378a719904b9bd96f', 'status': 'unaffected'}, {'at': 'b90b22521465ece00eb5a19d5aa2b9465b209c85', 'status': 'unaffected'}, {'at': 'beffc4da1e787e572121f68902c63daf4fe7d9c2', 'status': 'unaffected'}], 'version': '2270aaf21bd02c6a6a1022820564efb605a97655', 'lessThan': '*', 'versionType': 'git'}], 'packageURL': 'pkg:github/phoenixframework/phoenix', 'packageName': 'phoenixframework/phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://github.com', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}] Changed Description Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys are attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0 before 1.5.15, from 1.6.0 before 1.6.17, from 1.7.0 before 1.7.24, and from 1.8.0 before 1.8.9. Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 07, 2026
Action Type Old Value New Value Added Reference https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr Added SSVC {'id': 'CVE-2026-56812', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'partial'}], 'version': '2.0.3', 'timestamp': '2026-07-07T16:11:03.353715Z'} -
New CVE Received by 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Jul. 07, 2026
Action Type Old Value New Value Added Affected [{'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:hex/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://repo.hex.pm', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'version': '1.2.0', 'lessThan': '1.5.15', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.6.0', 'lessThan': '1.6.17', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.7.0', 'lessThan': '1.7.24', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.8.0', 'lessThan': '1.8.9', 'versionType': 'semver'}], 'packageURL': 'pkg:npm/phoenix', 'packageName': 'phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://registry.npmjs.org', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}, {'cpes': ['cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/phoenixframework/phoenix', 'vendor': 'phoenixframework', 'modules': ['Presence'], 'product': 'phoenix', 'versions': [{'status': 'affected', 'changes': [{'at': '7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8', 'status': 'unaffected'}, {'at': '89a1c4be161e436241e12b2378a719904b9bd96f', 'status': 'unaffected'}, {'at': 'b90b22521465ece00eb5a19d5aa2b9465b209c85', 'status': 'unaffected'}, {'at': 'beffc4da1e787e572121f68902c63daf4fe7d9c2', 'status': 'unaffected'}], 'version': '2270aaf21bd02c6a6a1022820564efb605a97655', 'lessThan': '*', 'versionType': 'git'}], 'packageURL': 'pkg:github/phoenixframework/phoenix', 'packageName': 'phoenixframework/phoenix', 'programFiles': ['assets/js/phoenix/presence.js'], 'collectionURL': 'https://github.com', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': 'Presence.syncState'}, {'name': 'Presence.syncDiff'}]}] Added Description Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys are attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0 before 1.5.15, from 1.6.0 before 1.6.17, from 1.7.0 before 1.7.24, and from 1.8.0 before 1.8.9. Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-754 Added Reference https://cna.erlef.org/cves/CVE-2026-56812.html Added Reference https://github.com/phoenixframework/phoenix/commit/7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8 Added Reference https://github.com/phoenixframework/phoenix/commit/89a1c4be161e436241e12b2378a719904b9bd96f Added Reference https://github.com/phoenixframework/phoenix/commit/b90b22521465ece00eb5a19d5aa2b9465b209c85 Added Reference https://github.com/phoenixframework/phoenix/commit/beffc4da1e787e572121f68902c63daf4fe7d9c2 Added Reference https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr Added Reference https://osv.dev/vulnerability/EEF-CVE-2026-56812