CVE-2026-40902 Overview
CVE-2026-40902 is a resource exhaustion vulnerability in PhpSpreadsheet, a pure PHP library for reading and writing spreadsheet files. The flaw exists in the ColumnAndRowAttributes::readRowAttributes() method of the XLSX reader. The method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit defined by AddressRange::MAX_ROW (1,048,576). An attacker can craft a minimal XLSX file of approximately 1.6KB that triggers nearly one billion loop iterations during row processing. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Critical Impact
A single malicious 1.6KB XLSX upload can exhaust CPU resources on any web application that parses untrusted spreadsheets using PhpSpreadsheet, resulting in denial of service.
Affected Products
- PHPOffice PhpSpreadsheet versions prior to 1.30.4
- PHPOffice PhpSpreadsheet versions 2.0.0 through 2.1.15 and 2.2.0 through 2.4.4
- PHPOffice PhpSpreadsheet versions 3.0.0 through 3.10.4 and 4.0.0 through 5.6.x
Discovery Timeline
- 2026-05-12 - CVE-2026-40902 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-40902
Vulnerability Analysis
The vulnerability resides in PhpSpreadsheet's XLSX reader logic. When parsing an XLSX archive, the library iterates through <row> elements inside the sheet XML and extracts the r attribute to determine the row index. The ColumnAndRowAttributes::readRowAttributes() method accepts this attribute value directly and uses it to update the internal cachedHighestRow property. No bounds check is applied to ensure the value remains within the legitimate spreadsheet range of 1,048,576 rows.
Downstream operations that iterate over the worksheet, such as getHighestRow(), toArray(), and similar bulk-processing functions, then attempt to loop from row 1 up to the inflated cachedHighestRow value. An attacker-supplied value of 999,999,999 forces roughly one billion iterations on a single worksheet, consuming CPU until the PHP execution limit terminates the worker process.
Root Cause
The root cause is missing input validation on user-controlled XML data. The XLSX format is a ZIP container of XML files, and the row index attribute is fully attacker-controlled. PhpSpreadsheet trusts this value without comparing it against AddressRange::MAX_ROW. The result is an algorithmic complexity attack where a tiny input expands into a long-running server-side loop.
Attack Vector
Exploitation requires no authentication and no user interaction beyond the application accepting an XLSX upload or import. Any web application that passes an attacker-supplied XLSX file to PhpSpreadsheet's reader is vulnerable. The attacker crafts a minimal workbook containing a single forged <row r="999999999"/> element and submits it through any feature that triggers spreadsheet parsing. Repeated submissions amplify the impact and can saturate worker pools.
For technical details on the patched code path, refer to the PHPOffice PhpSpreadsheet Security Advisory GHSA-7c6m-4442-2x6m.
Detection Methods for CVE-2026-40902
Indicators of Compromise
- XLSX uploads containing <row> elements with r attribute values greater than 1,048,576 inside xl/worksheets/sheet*.xml.
- PHP-FPM or web worker processes hitting max_execution_time while processing user-submitted spreadsheets.
- Sustained high CPU utilization on application servers correlated with file upload endpoints that invoke PhpSpreadsheet.
Detection Strategies
- Inspect inbound XLSX files at the application layer and parse the sheet XML to flag any r attribute exceeding 1048576 before invoking PhpSpreadsheet.
- Add application logging around PhpSpreadsheet reader calls capturing file size, parse duration, and the resulting getHighestRow() value to surface anomalous values.
- Hunt application logs for PHP fatal errors of type Maximum execution time of N seconds exceeded originating from PhpSpreadsheet stack frames.
Monitoring Recommendations
- Alert on web workers that exceed CPU thresholds while handling spreadsheet import routes.
- Track the ratio of upload size to processing time. A sub-2KB file consuming multiple seconds of CPU is a strong signal.
- Monitor PHP error logs and APM traces for repeated timeouts on the same endpoint from the same source IP.
How to Mitigate CVE-2026-40902
Immediate Actions Required
- Upgrade PhpSpreadsheet to 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 depending on the major version branch in use.
- Inventory all PHP applications that ingest user-supplied spreadsheets and confirm the deployed PhpSpreadsheet version through composer.lock.
- Restrict spreadsheet upload endpoints to authenticated users where the business workflow permits.
Patch Information
Maintainers fixed the issue in PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. The patch validates row index values against AddressRange::MAX_ROW inside ColumnAndRowAttributes::readRowAttributes() and rejects or clamps out-of-range values. Update via Composer with composer require phpoffice/phpspreadsheet:^5.7.0 or the equivalent constraint for your maintained branch.
Workarounds
- Enforce a strict PHP max_execution_time and per-request memory limit for routes that parse spreadsheets to bound the impact of a successful exploit.
- Pre-validate uploaded XLSX files by unzipping the archive and rejecting any sheet XML containing an r attribute greater than 1048576.
- Place spreadsheet processing behind a sandboxed worker queue with low concurrency so a single malicious file cannot exhaust the entire web tier.
# Composer update example for the 5.x branch
composer require phpoffice/phpspreadsheet:^5.7.0
composer update phpoffice/phpspreadsheet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
