CVE-2026-42786 - Bandit WebSocket fragment reassembly DoS

Bandit 0.5.0 through 1.10.4 can be forced to keep appending WebSocket continuation-frame payloads to a per-connection buffer without a cumulative message-size cap. The configured frame-size limit only bounds each individual frame, so an unauthenticated client that can open a WebSocket can stream many non-final continuation frames and grow BEAM memory until the process or node is killed.

The vulnerable path runs before application WebSock.handle_in/2 code gets a chance to reject the message. Phoenix Channels and LiveView deployments that use Bandit are therefore exposed when they accept WebSocket connections on an affected Bandit version.

Affected versions

Vulnerable: Hex package bandit >=0.5.0, <1.11.0
Fixed: bandit 1.11.0+

Indicator-of-exposure

The repository builds or deploys an Elixir/Phoenix application that depends on Hex package bandit.
mix.lock, mix.exs, an image SBOM, release metadata, or deployment artifact resolves bandit to >=0.5.0, <1.11.0.
The application exposes Phoenix Channels, LiveView, WebSock routes, or custom WebSocket upgrades through Bandit.
A public, partner, tenant, or otherwise untrusted client can open WebSocket connections to the affected service.

Quick checks:

rg -n "bandit|Bandit|Phoenix.Endpoint|LiveView|socket|WebSock|upgrade\\(" .
mix deps | rg '^\\* bandit '
mix hex.outdated bandit
mix phx.routes | rg -i "socket|live"

Remediation strategy

Upgrade every controlled Bandit runtime to 1.11.0+.
Regenerate mix.lock, release metadata, container images, SBOMs, and rendered deployment artifacts that pin or report dependency versions.
Confirm WebSocket-facing services are patched before scaling traffic back up.
If the upgrade is blocked, temporarily reduce exposure by disabling or restricting affected WebSocket endpoints at the ingress, load balancer, route, or feature-flag layer. Treat that as containment, not remediation.
Review memory-pressure, connection-reset, and node-restart telemetry for the exposure window if the WebSocket endpoint was internet-facing.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42786 (Bandit WebSocket fragmented message
reassembly denial of service). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Bandit, verifies WebSocket
  exposure, adds safe dependency/deployment validation, and documents operator
  containment, or
- TRIAGE.md if this repository does not own an affected Bandit runtime or safe
  patch path.

## Rules

- Scope only CVE-2026-42786.
- Do not generate, run, or commit denial-of-service payloads.
- Do not run memory-exhaustion tests against production, staging, preview, or
  shared services.
- Do not remove WebSocket, Phoenix Channel, or LiveView behavior unless the
  repository already has a feature flag or operator-approved route control.
- Do not auto-merge.

## Steps

1. Inventory Bandit usage controlled by this repository: `mix.exs`,
   `mix.lock`, umbrella apps, releases, Dockerfiles, base images, SBOMs, Helm
   values, Kubernetes manifests, Terraform, compose files, deployment scripts,
   and generated dependency reports.
2. Determine every resolved Hex package `bandit` version. A runtime is
   vulnerable if it resolves to `>=0.5.0, <1.11.0`.
3. Identify WebSocket exposure:
   - Phoenix Channels;
   - LiveView routes;
   - `WebSockAdapter.upgrade/4`;
   - custom Bandit or Plug WebSocket upgrade paths;
   - ingress, CDN, load balancer, or route rules that make those endpoints
     reachable by untrusted clients.
4. If this repository only contains clients, documentation, or deployment
   pointers to an externally owned service, stop with `TRIAGE.md` naming the
   owner, evidence checked, and required fixed version `bandit 1.11.0+`.
5. Upgrade vulnerable Bandit runtimes to `1.11.0+` on the smallest compatible
   release line. Regenerate `mix.lock`, release artifacts, dependency reports,
   SBOMs, image digests, and rendered deployment manifests as appropriate for
   this repository.
6. If dependency constraints prevent the upgrade, update the direct dependency
   that pins Bandit, add the narrowest override supported by the build, or stop
   with `TRIAGE.md` explaining the blocker and temporary containment.
7. Add a safe regression or policy check that proves the resolved Bandit version
   is not vulnerable. Good examples:
   - a lockfile/dependency assertion for `bandit >=1.11.0`;
   - a release metadata check;
   - a deployment-render test that confirms the patched image or release is
     used.
   Avoid exploit-like fragmented-frame tests that intentionally consume memory.
8. If the repository controls emergency routing, add or document a reversible
   containment option for blocked rollouts:
   - disable public WebSocket routes;
   - restrict WebSocket endpoints to trusted networks or authenticated ingress;
   - lower connection and request limits at the edge;
   - increase observability for memory pressure and connection churn.
9. Add a PR body section named `CVE-2026-42786 operator actions` that states:
   - resolved Bandit versions before and after the change;
   - which WebSocket endpoints are exposed;
   - whether Phoenix Channels or LiveView are reachable from untrusted clients;
   - what containment is required before or during rollout;
   - whether memory-pressure or restart telemetry should be reviewed;
   - whether CVE-2026-39804 also applies to this deployment.
10. Run available validation: `mix deps.get`, `mix deps.unlock --check-unused`
    if used locally, `mix compile --warnings-as-errors` when appropriate,
    tests, format, dependency/security scans, image build, release build, and
    deployment rendering.
11. Use PR title:
    `fix(sec): remediate CVE-2026-42786 in Bandit`.

## Stop conditions

- No affected Bandit runtime is controlled by this repository.
- The resolved Bandit version is already `1.11.0+` across lockfiles, release
  metadata, SBOMs, and images.
- A fixed Bandit release cannot be consumed without a larger Phoenix, Plug, or
  Elixir migration.
- Verifying exposure would require running denial-of-service payloads or
  memory-exhaustion tests.
- The only apparent mitigation would silently break public WebSocket behavior
  without operator approval.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

No deployable Elixir release, image, lockfile, SBOM, or generated dependency report resolves bandit below 1.11.0.
WebSocket exposure is explicitly inventoried, including Phoenix Channels, LiveView, and custom WebSock upgrade paths.
Tests or policy checks prove the patched dependency is resolved without using unsafe memory-exhaustion payloads.
Any temporary route or ingress containment is clearly labeled as temporary and reversible.
The PR calls out whether the related Bandit compression advisory CVE-2026-39804 is also relevant.

Watch for

Umbrella apps where only one child app lockfile or release artifact was updated.
Container images that still carry an older release after mix.lock was fixed.
Assuming a low max_frame_size setting blocks this CVE; the vulnerable behavior is cumulative across continuation frames.
Internal WebSocket endpoints that are reachable by tenants, partner networks, worker pools, browser clients, or compromised services.
Confusing the Elixir bandit server with the unrelated Python security scanner named Bandit.

References

GitHub Advisory: https://github.com/advisories/GHSA-pf94-94m9-536p
GitHub Security Advisory: https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p
OSV: https://osv.dev/vulnerability/EEF-CVE-2026-42786
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42786
Fix commit: https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667
Hex package: https://hex.pm/packages/bandit