Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23734

CVE-2026-23734: XWiki Platform Path Traversal Flaw

CVE-2026-23734 is a path traversal vulnerability in XWiki Platform that allows attackers to read configuration files through ssx and jsx endpoints. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-23734 Overview

CVE-2026-23734 is a path traversal vulnerability in XWiki Platform, a generic wiki platform used to build collaborative applications. The flaw allows unauthenticated attackers to read arbitrary files on the server, including configuration files such as WEB-INF/xwiki.cfg, by abusing the resource parameter on the ssx and jsx endpoints. Attackers exploit the issue by supplying leading slashes that bypass the normalization logic in ClassLoaderUtils. The vulnerability is classified as Path Traversal [CWE-23].

Critical Impact

Unauthenticated remote attackers can read sensitive configuration files and other server-side resources outside the intended classpath, leading to disclosure of credentials, secrets, and internal configuration.

Affected Products

  • XWiki Platform versions prior to 16.10.17
  • XWiki Platform versions prior to 17.4.9 and 17.10.3
  • XWiki Platform versions prior to 18.1.0-rc-1

Discovery Timeline

  • 2026-05-20 - CVE-2026-23734 published to NVD
  • 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-23734

Vulnerability Analysis

The vulnerability resides in the resource resolution logic used by the Skin Extension (ssx) and JavaScript Skin Extension (jsx) endpoints. These endpoints accept a resource query parameter that is resolved through ClassLoaderUtils to load static assets from the classpath. An attacker can request a URL such as http://target:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false to read files outside the intended directory. Because the endpoints do not require authentication, exploitation is possible against any reachable XWiki instance. Successful exploitation discloses configuration files containing database credentials, mail server settings, and other secrets.

Root Cause

The normalization logic in ClassLoaderUtils relied on Paths.get(fullPath).normalize() to detect traversal attempts. On Tomcat, leading / characters in a classpath resource name are silently ignored, while Paths#normalize() preserves them. This inconsistency allowed an input like /../../WEB-INF/xwiki.cfg to pass the startsWith("../") check while still resolving to a parent directory at runtime.

Attack Vector

Exploitation requires only a single HTTP GET request to the vulnerable endpoint with a crafted resource parameter. No authentication, user interaction, or prior knowledge of the wiki structure is required. The attacker controls the path supplied to the classloader and can iterate through known file paths to extract configuration data.

java
            fullPath = resourcePath;

            // Prevent access to resources from other directories
            // TODO: find or implement something closer to Servlet ClassLoader behavior to be as accurate as possible
            // and be able to reuse the normalized result. Not so easy since the various applications servers can use
            // different logics.

            // On Tomcat, all leading / have no effect, contrary to Paths#normalize()
            int index = 0;
            while (index < fullPath.length() && fullPath.charAt(index) == '/') {
                ++index;
            }
            String normalizedPath = fullPath.substring(index);

            Path normalizedResource = Paths.get(normalizedPath).normalize();
            if (normalizedResource.startsWith("../")) {
                throw new IllegalArgumentException(String.format(
                    "The provided resource name [%s] is trying to navigate out of the mandatory root location",
                    fullPath));
            }

Source: GitHub Commit a979cafd — The patch strips all leading / characters before calling Paths.get().normalize(), ensuring the traversal check matches Tomcat's actual classpath resolution behavior.

Detection Methods for CVE-2026-23734

Indicators of Compromise

  • HTTP requests to /bin/ssx/ or /bin/jsx/ containing a resource parameter with ../ sequences or leading / characters
  • Access log entries referencing sensitive paths such as WEB-INF/xwiki.cfg, WEB-INF/hibernate.cfg.xml, or WEB-INF/web.xml via the resource parameter
  • Unexpected 200 responses from ssx or jsx endpoints serving content that does not match a registered skin extension

Detection Strategies

  • Inspect web server and reverse proxy logs for resource= parameter values containing .., %2e%2e, or repeated leading slashes
  • Alert on ssx/jsx endpoint responses with Content-Type values inconsistent with CSS or JavaScript assets
  • Correlate requests targeting the same client IP probing multiple resource paths in rapid succession

Monitoring Recommendations

  • Forward XWiki and Tomcat access logs to a centralized analytics platform for query-based hunting on the resource parameter
  • Baseline normal ssx/jsx traffic patterns and flag deviations in path structure or response size
  • Monitor outbound connections from the XWiki host that could indicate follow-on use of stolen credentials

How to Mitigate CVE-2026-23734

Immediate Actions Required

  • Upgrade XWiki Platform to 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17 depending on the deployed release branch
  • Rotate any secrets stored in xwiki.cfg, xwiki.properties, and hibernate.cfg.xml if exploitation cannot be ruled out
  • Restrict network access to the XWiki instance until patches are applied

Patch Information

The issue is fixed in XWiki Platform 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17. The fix in ClassLoaderUtils strips leading / characters before path normalization to align traversal detection with Tomcat's classpath resolution. Review the GitHub Security Advisory GHSA-xq3r-2qv5-vqqm and tracking issue XCOMMONS-3547 for full details.

Workarounds

  • Deploy a web application firewall rule that blocks requests to ssx and jsx endpoints when the resource parameter contains .. or starts with /
  • Configure the reverse proxy to reject query strings containing encoded traversal sequences such as %2e%2e%2f
  • Limit filesystem permissions on WEB-INF/ so that the Tomcat process cannot read sensitive credential files that are not required at runtime
bash
# Example ModSecurity rule to block traversal in the resource parameter
SecRule REQUEST_URI "@rx /bin/(ssx|jsx)/" \
    "chain,id:1002601,phase:2,deny,status:403,msg:'XWiki CVE-2026-23734 path traversal attempt'"
    SecRule ARGS:resource "@rx (^/|\.\./|%2e%2e)" "t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne