Executive Summary
A high-severity denial-of-service (DoS) vulnerability has been identified in DokuWiki v.2025-05-14b "Librarian", tracked as CVE-2026-26477 with a CVSS score of 7.5. The vulnerability resides in the media_upload_xhr() function within media.php and allows a remote, unauthenticated attacker to cause the application to crash or become unresponsive.
CVSS Score: 7.5 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-26477 |
| CVSS Score | 7.5 (High) |
| Type | Denial of Service |
| Attack Vector | Network |
| Authentication | None required |
| User Interaction | None |
| Affected Component | media.php — media_upload_xhr() function |
| Affected Version | DokuWiki v.2025-05-14b 'Librarian' |
Root Cause
The vulnerability is located in the media_upload_xhr() function in media.php, which handles XHR (XMLHttpRequest) media file uploads. A specially crafted request to this endpoint can trigger unexpected behavior in the upload processing logic, causing the server process to crash or consume resources until it becomes unresponsive.
The function fails to properly handle malformed or edge-case input parameters, leading to a condition that terminates the DokuWiki process or locks it into an unresponsive state.
Affected Versions
| Software | Affected Version | Status |
|---|---|---|
| DokuWiki | v.2025-05-14b 'Librarian' | Vulnerable |
Note: Earlier releases may also be affected. Check the official DokuWiki changelog for patched version information.
Impact Assessment
Who Is at Risk
DokuWiki is a widely deployed open-source wiki platform commonly used by:
- Corporate intranets and knowledge bases
- Educational institutions
- Open-source project documentation sites
- Small-to-medium business portals
Any installation with the media upload functionality accessible — particularly those exposed to the internet or accessible to untrusted users — is potentially at risk.
Attack Scenario
1. Attacker identifies a DokuWiki instance running v.2025-05-14b
2. Attacker sends crafted XHR upload request to the media upload endpoint
3. media_upload_xhr() processes the malformed request
4. Application crashes or becomes unresponsive (denial of service)
5. Legitimate users are unable to access the wikiWhile this vulnerability does not allow remote code execution or data exfiltration in its current described form, availability impact can be significant for organizations relying on DokuWiki for documentation, collaboration, or internal knowledge management.
Remediation
Immediate Actions
- Check your DokuWiki version — navigate to Admin > DokuWiki Configuration and note the installed version
- Apply the latest DokuWiki update — update to a patched release as soon as one becomes available from the DokuWiki project
- Restrict media upload access — if media upload functionality is not required for public users, restrict access via DokuWiki's ACL (Access Control List) system to authenticated users only
- Implement rate limiting — place a WAF or reverse proxy in front of the DokuWiki instance to rate-limit requests to the media upload endpoint
Temporary Mitigations
If patching is not immediately possible:
- Disable XHR media uploads in DokuWiki configuration settings
- Restrict the
/lib/exe/ajax.phpand media endpoints at the web server level (nginx/Apache) to trusted IP ranges - Monitor access logs for unusual patterns targeting the media upload endpoint
Detection
Log Indicators
Monitor for repeated or malformed requests to the following endpoints:
POST /lib/exe/ajax.php?call=mediau
POST /lib/exe/mediamanager.php
Unusual request patterns (high volume, malformed content-type, oversized payloads, or truncated multipart bodies) to these endpoints should be investigated.
Key Takeaways
- CVSS 7.5 High — Network-exploitable DoS with no authentication required
- Remote, unauthenticated exploitation via malformed XHR upload request
- Update DokuWiki to the latest patched release when available
- Restrict media upload access to authenticated and authorized users as an interim mitigation
- Monitor upload endpoints for anomalous request patterns