
PEACH
Un cadre d’isolation des locataires
CVE-2026-48802 is an unbound thread allocation vulnerability in the python-engineio library that allows unauthenticated remote attackers to cause a denial of service by exhausting server threads. It affects all versions up to and including 4.13.1, with the fix introduced in version 4.13.2. The vulnerability was first published by the maintainer on May 23, 2026, and added to the GitHub Advisory Database on June 26, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (Github Advisory, Security Advisory).
The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) in the heartbeat mechanism of python-engineio. The server spawns a new background thread each time a new connection is received and again each time a client sends a PONG packet, with no enforcement of a single active heartbeat thread per client and no authentication check before thread creation. An attacker can exploit this by repeatedly sending PONG packets or initiating connections without completing authentication, causing unbounded thread proliferation. This issue primarily affects synchronous server deployments; asynchronous servers use lightweight background tasks rather than OS threads, making them less susceptible to resource exhaustion, though the fix was applied to both modes (Github Advisory, Security Advisory).
Successful exploitation results in thread exhaustion on the affected server, leading to denial of service — the server becomes unable to handle legitimate connections as system resources are consumed by unnecessary heartbeat threads. There is no impact on confidentiality or data integrity; the sole consequence is high availability impact. Synchronous deployments are at greatest risk, as OS-level threads are a finite and expensive resource compared to the async tasks used in asynchronous server configurations (Github Advisory).
python-engineio in synchronous mode (e.g., Flask-SocketIO applications), which can be fingerprinted via Engine.IO handshake responses./socket.io/?EIO=4&transport=websocket) without completing authentication, triggering a heartbeat thread per connection.ps, top, or /proc/<pid>/status); server process memory and CPU usage climbing without a corresponding increase in legitimate traffic.Upgrade python-engineio to version 4.13.2 or later, which restricts heartbeat thread creation to authenticated clients and enforces a single active heartbeat thread per client, discarding out-of-sequence PONG packets. No configuration-based workaround is documented; upgrading is the recommended and only confirmed remediation. Operators using synchronous server deployments should prioritize this update given the higher severity of thread exhaustion in that context (Github Advisory, Security Advisory).
The vulnerability was reported by community researcher mauriceng98 and disclosed by maintainer Miguel Grinberg via a GitHub Security Advisory on May 23, 2026. A Reddit post in r/Network referenced the vulnerability as part of a threat intelligence roundup on May 26, 2026. No broader media coverage or notable vendor statements beyond the official advisory have been identified (Github Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."