CVE-2026-42794 Overview
CVE-2026-42794 is a reflected cross-site scripting (XSS) vulnerability in the absinthe_plug library, an Elixir plug that exposes Absinthe GraphQL APIs over HTTP. The flaw resides in the GraphiQL interface, where the query GET parameter is embedded into an inline JavaScript string without proper backslash escaping. An attacker can craft a URL that breaks out of the JavaScript string context and executes arbitrary script in the victim's browser. The issue affects absinthe_plug from version 1.2.0 before 1.5.10 and is categorized under [CWE-79].
Critical Impact
Attackers can deliver crafted GraphiQL URLs that execute arbitrary JavaScript in a victim's browser session, enabling session theft, GraphQL action abuse, and phishing.
Affected Products
- absinthe-graphql/absinthe_plug versions >= 1.2.0
- absinthe-graphql/absinthe_plug versions < 1.5.10
- Elixir applications exposing the Absinthe GraphiQL interface in production
Discovery Timeline
- 2026-05-08 - CVE-2026-42794 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-42794
Vulnerability Analysis
The vulnerability lives in Elixir.Absinthe.Plug.GraphiQL, specifically the js_escape/1 helper defined in lib/absinthe/plug/graphiql.ex. When the GraphiQL interface renders the page, it takes the query GET parameter and embeds it directly inside an inline JavaScript string literal. The js_escape/1 function attempts to neutralize dangerous characters by escaping single quotes and newlines, but it omits backslashes from the escape set. Because backslashes pass through unmodified, an attacker can supply an escaped quote such as \' that, after the function's transformation, terminates the JavaScript string prematurely. The remainder of the attacker-controlled payload is then parsed as JavaScript source.
Root Cause
The root cause is incomplete output encoding in js_escape/1. Proper JavaScript string escaping requires backslashes to be doubled before any other escaping is applied. By skipping this step, the function allows attacker-supplied backslashes to neutralize the very escaping the function performs on quotes, producing a context-confusion that yields reflected XSS.
Attack Vector
Exploitation requires the victim to load a GraphiQL URL crafted by the attacker, for example through a phishing link or an embedded redirect. The malicious payload is placed in the query GET parameter and uses a leading backslash to escape the surrounding string delimiter. When the GraphiQL page renders, the browser parses the injected JavaScript in the application's origin, granting access to cookies, GraphQL endpoints, and the DOM. User interaction is required, but no authentication or special privileges are needed on the target application.
No public proof-of-concept code is published in the referenced advisories. See the upstream commit and GitHub Issue #275 for the technical fix and discussion.
Detection Methods for CVE-2026-42794
Indicators of Compromise
- Requests to GraphiQL endpoints containing a backslash followed by a single quote in the query parameter, for example ?query=\'.
- URL-encoded sequences such as %5C%27, %5C%22, or embedded </script> tags in the query parameter of GraphiQL requests.
- HTTP referers pointing to external sites that load the application's GraphiQL endpoint with non-standard query strings.
Detection Strategies
- Inspect web server and reverse proxy logs for GET requests targeting the GraphiQL route with suspicious characters in the query parameter.
- Deploy a Web Application Firewall (WAF) rule that flags backslash-quote sequences and script-tag patterns in GraphQL query parameters.
- Audit deployed Elixir applications for the absinthe_plug dependency version using mix deps and flag versions below 1.5.10.
Monitoring Recommendations
- Alert on anomalous spikes in GET traffic to GraphiQL routes, especially from off-network referrers.
- Monitor Content Security Policy (CSP) violation reports for inline script executions on GraphiQL pages.
- Track outbound requests from browsers that loaded GraphiQL to identify potential session token exfiltration.
How to Mitigate CVE-2026-42794
Immediate Actions Required
- Upgrade absinthe_plug to version 1.5.10 or later across all Elixir applications.
- Disable the GraphiQL interface in production environments where it is not strictly required.
- Enforce a strict Content Security Policy that forbids inline script execution on GraphiQL routes.
Patch Information
The fix was committed upstream in absinthe_plug commit 23a0d56 and released in absinthe_plug 1.5.10. The patch extends the js_escape/1 function to also escape backslash characters, preventing string-context breakout. Refer to the Erlang Ecosystem Foundation CNA advisory and the OSV record for the authoritative fix metadata.
Workarounds
- Remove the Absinthe.Plug.GraphiQL route from production router pipelines and restrict it to local development.
- Restrict access to the GraphiQL endpoint by IP allowlist or authenticated session if it must remain reachable.
- Apply a reverse proxy filter that rejects requests where the query parameter contains backslash characters.
# Update absinthe_plug to the patched version in mix.exs, then run:
mix deps.update absinthe_plug
mix deps.get
mix compile
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
