Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41034

CVE-2026-41034: ONLYOFFICE DocumentServer Info Leak Flaw

CVE-2026-41034 is an information disclosure vulnerability in ONLYOFFICE DocumentServer affecting XLS processing. An untrusted pointer dereference leads to information leaks and ASLR bypass in versions before 9.3.0.

Published:

CVE-2026-41034 Overview

CVE-2026-41034 is an Out-of-Bounds Read vulnerability affecting ONLYOFFICE DocumentServer versions prior to 9.3.0. The vulnerability stems from an untrusted pointer dereference in XLS file processing and conversion functionality, specifically exploitable via pictFmla.cbBufInCtlStm and other related vectors. Successful exploitation leads to information leakage and Address Space Layout Randomization (ASLR) bypass, potentially enabling further attacks against affected systems.

Critical Impact

This vulnerability enables information disclosure and ASLR bypass through malicious XLS file processing, which could be leveraged as part of a multi-stage attack to achieve more severe compromises.

Affected Products

  • ONLYOFFICE DocumentServer versions prior to 9.3.0

Discovery Timeline

  • April 16, 2026 - CVE-2026-41034 published to NVD
  • April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41034

Vulnerability Analysis

The vulnerability is classified under CWE-125 (Out-of-Bounds Read), which occurs when the software reads data past the end or before the beginning of the intended buffer. In this case, ONLYOFFICE DocumentServer fails to properly validate pointer values during XLS file processing and conversion operations.

The attack can be initiated remotely over the network and requires low-privileged access to the system. The vulnerability affects the confidentiality of the system by enabling unauthorized information disclosure without impacting integrity or availability. Additionally, the scope is changed, meaning the vulnerable component impacts resources beyond its security scope.

Root Cause

The root cause lies in improper handling of pointer values within the XLS processing engine. Specifically, the pictFmla.cbBufInCtlStm field and similar structures are not adequately validated before being dereferenced. This allows an attacker to craft a malicious XLS file that causes the application to read from arbitrary memory locations, bypassing ASLR protections and leaking sensitive memory contents.

Attack Vector

An attacker exploits this vulnerability by crafting a specially malformed XLS file containing manipulated pointer references in the picture formula structures. When the DocumentServer processes or converts this malicious file, it dereferences the untrusted pointer values without proper bounds checking. This results in out-of-bounds memory reads that can disclose sensitive information from the server's memory space, including memory addresses that reveal the ASLR layout.

The network-based attack vector means an attacker can deliver the malicious XLS file through various channels such as document collaboration features, file upload functionality, or conversion APIs exposed by the DocumentServer.

Detection Methods for CVE-2026-41034

Indicators of Compromise

  • Unusual XLS file processing errors or crashes in ONLYOFFICE DocumentServer logs
  • Unexpected memory access patterns or segmentation faults during document conversion
  • Large volumes of XLS files being submitted for processing from suspicious sources
  • Error messages referencing pictFmla or related formula structures

Detection Strategies

  • Monitor DocumentServer logs for anomalous XLS processing failures or memory-related errors
  • Implement file integrity monitoring on DocumentServer components to detect potential exploitation attempts
  • Deploy network-based detection rules to identify malformed XLS files with suspicious pictFmla structures
  • Use endpoint detection and response (EDR) solutions to monitor for out-of-bounds read behaviors

Monitoring Recommendations

  • Enable verbose logging for the DocumentServer XLS processing module
  • Set up alerts for repeated document conversion failures from the same source
  • Monitor memory usage patterns of DocumentServer processes for anomalies
  • Track file uploads and conversions for unusually structured XLS files

How to Mitigate CVE-2026-41034

Immediate Actions Required

  • Upgrade ONLYOFFICE DocumentServer to version 9.3.0 or later immediately
  • Restrict access to document processing and conversion APIs to trusted users only
  • Implement input validation and file scanning for XLS uploads before processing
  • Review access logs for any suspicious document processing activity

Patch Information

ONLYOFFICE has addressed this vulnerability in DocumentServer version 9.3.0. Organizations should upgrade to this version or later to remediate the issue. For detailed information about the fix, refer to the ONLYOFFICE DocumentServer Changelog.

Workarounds

  • Temporarily disable XLS file processing and conversion functionality if not business-critical
  • Implement network segmentation to isolate DocumentServer instances from sensitive systems
  • Deploy a web application firewall (WAF) to filter potentially malicious XLS uploads
  • Restrict file upload capabilities to authenticated and trusted users only
  • Consider using alternative document processing solutions until patching is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.