CVE-2026-40104 - Vulnerability Details

- XWiki's REST APIs can list all pages/spaces, leading to unavailability

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.

Published: 2026-04-15

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

XWiki Platform versions 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1 and earlier allow REST API endpoints to enumerate every page, space, and object without imposing query limits. The resulting exhaustive list of metadata can consume excessive server CPU, memory, and I/O, eventually causing the service to become unresponsive. The issue’s weakness corresponds to Resource Exhaustion and can compromise availability, which is the primary impact for users of large wikis.

Affected Systems

The vulnerability targets xwiki-platform-legacy-oldcore and xwiki-platform-oldcore products from XWiki. It applies to releases up to and including 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1. Patching versions 16.10.16, 17.4.8, and 17.10.1 removes the flaw, but older instances are still at risk.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. No EPSS score is reported, so exploitation likelihood is unknown, and the vulnerability is not currently recorded in the CISA KEV catalog. The attack vector is inferred to be remote over HTTP by an unauthenticated or authenticated user who can access REST endpoints; an attacker could trigger the exhaustive queries to deplete server resources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xwiki

org.xwiki.platform:xwiki-platform-oldcore

affected

Version	Status	Constraints
`>= 1.8-rc-1, < 16.10.16`	affected	—
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

xwiki

org.xwiki.platform:xwiki-platform-legacy-oldcore

affected

Version	Status	Constraints
`>= 1.8-rc-1, < 16.10.16`	affected	—
`>= 17.0.0-rc-1, < 17.4.8`	affected	—
`>= 17.5.0-rc-1, < 17.10.1`	affected	—

No data.

Vendor Product Confidence Versions

Xwiki

Xwiki-platform-legacy-oldcore

100%

Version	Status	Scheme	Platform
`[1.8-rc-1,16.10.16)`	affected	semver	—
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Xwiki

Xwiki-platform-oldcore

100%

Version	Status	Scheme	Platform
`[1.8-rc-1,16.10.16)`	affected	semver	—
`[17.0.0-rc-1,17.4.8)`	affected	semver	—
`[17.5.0-rc-1,17.10.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the XWiki Platform to version 16.10.16, 17.4.8, or 17.10.1 to receive the official fix; this removes the unbounded list generation from the REST API.
If an upgrade is not immediately possible, restrict network access to the affected REST endpoints (e.g., using firewall rules or HTTP authentication) so that only trusted administrators can perform page enumeration.
Configure resource limits on the web server or Java application to throttle or deny large requests, mitigating the risk of service exhaustion until a patch can be applied.

Generated by OpenCVE AI on April 15, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mrqg-xmgm-rc5g	XWiki's REST APIs can list all pages/spaces, leading to unavailability

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g
https://jira.xwiki.org/browse/XWIKI-23550

History

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki Xwiki xwiki-platform-legacy-oldcore Xwiki xwiki-platform-oldcore
Vendors & Products		Xwiki Xwiki xwiki-platform-legacy-oldcore Xwiki xwiki-platform-oldcore

Wed, 15 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.
Title		XWiki's REST APIs can list all pages/spaces, leading to unavailability
Weaknesses		CWE-770
References		https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mrqg-xmgm-rc5g https://jira.xwiki.org/browse/XWIKI-23550
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Xwiki Xwiki-platform-legacy-oldcore Xwiki-platform-oldcore

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-15T00:01:58.583Z

Updated: 2026-04-15T00:01:58.583Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40104

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-15T04:17:47.953

Modified: 2026-04-15T04:17:47.953

Link: CVE-2026-40104

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:53:35Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object