CVE-2026-29905: Persistent Denial of Service via Malformed Image Upload in Kirby CMS

Kirby CMS through version 5.1.4 suffers from a persistent Denial of Service (DoS) vulnerability located in its media processing subsystem. The flaw requires an attacker to possess valid credentials with at least "Editor" privileges, which grants the capability to upload files to the system via the Kirby Panel interface. The core issue revolves around improper input validation (CWE-20) combined with an unchecked return value (CWE-252) during the processing of image metadata.

The vulnerability manifests when the application attempts to process a file that possesses a valid image extension (such as .jpg or .png) but lacks valid internal image structures. Modern Content Management Systems process uploaded media to extract dimensions, generate thumbnails, and populate metadata attributes. Kirby performs these operations synchronously during specific rendering routines, either immediately upon upload or when the media file is requested for display in the administrative panel.

When the processing routine encounters the malformed file, the underlying PHP thread crashes due to an unhandled exception. Because the file resides persistently on the filesystem, subsequent requests to the affected page or administrative route will re-trigger the rendering routine, resulting in a continuous loop of fatal errors. This persistence elevates the severity of the flaw, as it transforms a localized crash into a sustained Denial of Service for the affected application sections.

The root cause of CVE-2026-29905 lies in the strict type enforcement mechanisms introduced in modern PHP versions, specifically interacting with legacy function behaviors. The Kirby CMS codebase utilizes the built-in PHP function getimagesize() to extract the dimensions and file type of uploaded images. According to the PHP documentation, getimagesize() returns an array containing the image attributes upon successful parsing, but returns boolean false if the file is not a valid image or cannot be accessed.

The vulnerable media processing code in Kirby CMS assigns the return value of getimagesize() to a variable and subsequently treats that variable as an array without performing a prior boolean or type check. Specifically, the application attempts to access array offsets, such as $size[0] for width and $size[1] for height.

Prior to PHP 8.0, attempting to access an array offset on a boolean value would emit a non-fatal Warning and evaluate to null, allowing execution to proceed, albeit with invalid data. However, PHP 8.0 and later versions implement stricter type handling. Accessing an array offset on a boolean value now throws a fatal TypeError: Cannot access offset of type bool. This exception immediately halts the execution of the PHP script, returning a 500 Internal Server Error to the client.

An analysis of the vulnerable code path reveals the absence of defensive programming practices when handling the output of getimagesize(). The CMS invokes the function directly on the path of the user-supplied file.

// Vulnerable Implementation Pattern
$filePath = $file->root();
$size = getimagesize($filePath);
 
// The code incorrectly assumes $size is always an array
$width  = $size[0]; // Fatal TypeError thrown here if $size is false
$height = $size[1];

The patched version of Kirby CMS (5.2.0-rc.1) introduces a standard conditional check to verify the return type before attempting to access the array elements. By verifying that the result is an array, the application safely handles malformed files by either assigning default values, skipping the thumbnail generation, or emitting a gracefully handled application-level exception rather than a fatal PHP error.

// Patched Implementation Pattern
$filePath = $file->root();
$size = getimagesize($filePath);
 
// Verify the return type before array access
if (is_array($size)) {
    $width  = $size[0];
    $height = $size[1];
} else {
    // Graceful error handling or default fallback
    $width  = 0;
    $height = 0;
    // Log warning or throw handled application exception
}

This simple validation ensures that the strict typing engine in PHP 8.x does not encounter the conditions required to throw the TypeError, thereby neutralizing the Denial of Service vector.

Exploitation of CVE-2026-29905 requires the attacker to possess an account with sufficient privileges to upload files, typically the "Editor" or "Administrator" role in a standard Kirby CMS deployment. The attacker begins by crafting a payload file. The contents of the file are irrelevant as long as they do not constitute valid image data. A standard text file containing arbitrary string data is sufficient.

The attacker then renames this text file to include a valid, application-accepted image extension, such as poc.jpg or exploit.png. Using the authenticated session, the attacker navigates to a content page or media library section within the Kirby Panel and uploads the malformed file. The upload mechanism itself succeeds because the initial validation relies primarily on the file extension rather than deep content inspection.

The DoS condition is triggered immediately upon the application attempting to render a view that includes the uploaded file. If the attacker uploads the file to the site's main index page, the entire public-facing website will crash for all visitors. If uploaded to a specific administrative subsection, only that section is incapacitated. The attack is highly reproducible and requires no specialized exploitation tools beyond a standard web browser.

The primary impact of CVE-2026-29905 is a severe reduction in system availability, mapping to the High availability metric in the CVSS v3.1 vector (A:H). While the vulnerability does not permit unauthorized code execution, data exfiltration, or privilege escalation, the resulting Denial of Service is persistent and requires administrative access to the underlying server infrastructure to remediate.

Because the malformed file is written to the physical filesystem within the content/ directory, standard application users (even Administrators) cannot utilize the Kirby Panel to delete the offending file. The Panel itself crashes before it can render the media management interface. This creates a functional lock-out scenario for content managers.

The scope of the outage depends entirely on where the attacker places the file. Placement in globally shared assets (such as site-wide headers or footers) will result in a total site outage. Placement in obscure sub-pages will result in localized outages. The vulnerability is highly effective for internal sabotage or disruption by disgruntled privileged users.

The definitive remediation for CVE-2026-29905 is upgrading the Kirby CMS installation to version 5.2.0-rc.1 or later. The patch implements proper type checking on the output of image processing functions, eliminating the fatal TypeError condition. Administrators should review the official Kirby release notes and apply the update via Composer or manual package replacement.

In scenarios where immediate patching is not feasible, organizations must employ manual intervention to restore service. System administrators must connect to the hosting server via SSH or FTP, navigate to the content/ directory, and identify the malformed file. Deleting the file directly from the filesystem will resolve the unhandled exception and restore access to the application.

As a defense-in-depth measure, administrators should audit user permissions to ensure that only trusted individuals possess file upload capabilities. While Web Application Firewalls (WAFs) can theoretically inspect file uploads for mismatched headers and extensions, implementing robust WAF rules for this specific vector is complex and often bypassable. Therefore, relying on the vendor patch is the only comprehensive solution.