CVE-2026-27807 Overview
CVE-2026-27807 is a Denial of Service vulnerability in MarkUs, a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create or update various entities such as assignment settings. These YAML files are parsed with aliases enabled, making the application susceptible to YAML alias expansion attacks (CWE-776: Improper Restriction of Recursive Entity References in DTDs).
Critical Impact
Authenticated instructors can upload maliciously crafted YAML files that exploit recursive alias expansion to cause resource exhaustion and denial of service, potentially disrupting academic operations and grading activities.
Affected Products
- MarkUsProject MarkUs versions prior to 2.9.4
Discovery Timeline
- March 6, 2026 - CVE-2026-27807 published to NVD
- March 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27807
Vulnerability Analysis
This vulnerability stems from improper handling of YAML alias expansion in MarkUs's file upload functionality. YAML aliases allow users to define anchors and references within YAML documents, which can be exploited through recursive or exponentially expanding references. When MarkUs parses instructor-uploaded YAML files without properly restricting alias expansion, an attacker with instructor privileges can craft YAML documents containing deeply nested or recursive alias references.
The attack exploits the "Billion Laughs" pattern (also known as an XML bomb adaptation for YAML), where a small input file can expand to consume massive amounts of memory and CPU resources during parsing. This can lead to application crashes, service unavailability, and potential impact on the underlying server infrastructure.
Root Cause
The root cause is the YAML parser configuration that enables alias expansion without proper restrictions on recursion depth or expansion limits. When processing YAML files for entity creation and updates, the application does not validate or restrict the complexity of alias references, allowing exponential expansion during the parsing phase.
Attack Vector
The attack is network-based and requires high privileges (instructor-level access) to execute. An authenticated instructor can upload a specially crafted YAML file through the assignment settings interface. The malicious YAML file contains alias definitions that reference each other recursively or in a pattern that causes exponential memory expansion when parsed.
The vulnerability affects the availability of the system without impacting confidentiality or integrity. Since instructor privileges are required, the attack surface is limited to authenticated users with elevated access within the MarkUs application.
Detection Methods for CVE-2026-27807
Indicators of Compromise
- Unusual memory consumption spikes on servers hosting MarkUs applications
- Application crashes or unresponsive behavior following YAML file uploads
- Error logs indicating YAML parsing failures or memory allocation errors
- Abnormally large YAML files uploaded through the instructor interface
Detection Strategies
- Monitor application logs for YAML parsing errors or timeout conditions
- Implement file size limits and complexity checks on uploaded YAML documents
- Track memory utilization patterns on MarkUs application servers
- Alert on repeated upload attempts of YAML files from the same user
Monitoring Recommendations
- Configure application performance monitoring to detect resource exhaustion patterns
- Set up alerting thresholds for memory consumption on MarkUs servers
- Review audit logs for instructor YAML file upload activities
- Implement logging for YAML parsing duration and resource consumption
How to Mitigate CVE-2026-27807
Immediate Actions Required
- Upgrade MarkUs to version 2.9.4 or later immediately
- Review recent YAML file uploads for potentially malicious content
- Consider temporarily restricting YAML upload functionality until patch is applied
- Monitor system resources for signs of exploitation
Patch Information
The vulnerability has been patched in MarkUs version 2.9.4. The fix restricts YAML alias expansion to prevent resource exhaustion attacks. Organizations should upgrade to this version or later to address the vulnerability.
For detailed patch information, refer to the GitHub Release v2.9.4 and the GitHub Security Advisory GHSA-m9rx-85mx-q9h6.
Workarounds
- Implement file size limits on YAML uploads to reduce potential impact
- Configure web application firewall rules to inspect YAML content for recursive alias patterns
- Temporarily disable YAML-based entity creation functionality if upgrading is not immediately possible
- Restrict instructor upload permissions to trusted users until patch deployment
# Example: Configure upload size limits in web server (nginx)
client_max_body_size 1M;
# Monitor for unusual memory consumption patterns
watch -n 5 'ps aux --sort=-%mem | head -10'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
