Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Published: 2026-05-20
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in XWiki Platform's REST API endpoint /wikis/{wikiName}. In affected releases, the POST method performs a XAR import without performing authentication or authorization checks. This allows an attacker who can reach the API to upload a XAR package and create or overwrite arbitrary wiki pages. By doing so the attacker can alter the content, delete or replace pages, or inject malicious configuration files, undermining the integrity of the wiki and potentially enabling further attacks.

Affected Systems

The issue affects XWiki Platform versions prior to 18.1.0‑rc‑1, 17.10.3, 17.4.9, and 16.10.17. The fix was implemented in 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0‑rc‑1. The affected product is the XWiki Platform, a generic wiki platform used for building applications.

Risk and Exploitability

The vulnerability is classified as Critical with a CVSS score of 9.3, reflecting high impact and absence of required privileges. Because the EPSS score is not disclosed, the likelihood of exploitation is uncertain but the lack of authentication makes it a severe risk. The vulnerability is not listed in CISA KEV, yet it can be exploited over the network by sending a crafted POST request to the REST endpoint. The likely attack vector is a network-based POST request to /wikis/{wikiName} without any authentication.

Generated by OpenCVE AI on May 20, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XWiki Platform to the latest patched release (at least 18.0.1 or any later version that includes the fix).
  • If an upgrade is not immediately possible, restrict network access to the REST API or place firewall rules that block unauthenticated POST requests to /wikis/{wikiName}.
  • Consider disabling or hardening the XAR import functionality in the application configuration to prevent unauthenticated content uploads.

Generated by OpenCVE AI on May 20, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Title XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T18:59:17.819Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33137

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:37.567

Modified: 2026-05-20T20:16:37.567

Link: CVE-2026-33137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:45:03Z

Weaknesses