Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32251

CVE-2026-32251: Tolgee XXE Vulnerability

CVE-2026-32251 is an XML External Entity (XXE) vulnerability in Tolgee that allows authenticated users to read server files and access internal services. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-32251 Overview

CVE-2026-32251 is a critical XML External Entity (XXE) vulnerability affecting Tolgee, an open-source localization platform. The vulnerability exists in the XML parsers used for importing Android XML resources (.xml) and .resx files, which fail to disable external entity processing. An authenticated user with permission to import translation files into a project can exploit this flaw to read arbitrary files from the server and make server-side requests to internal services.

Critical Impact

Authenticated attackers can exploit insecure XML parsing to exfiltrate sensitive server files and perform Server-Side Request Forgery (SSRF) attacks against internal infrastructure.

Affected Products

  • Tolgee Platform versions prior to 3.166.3
  • Tolgee installations using Android XML resource import functionality
  • Tolgee installations using .resx file import functionality

Discovery Timeline

  • 2026-03-12 - CVE CVE-2026-32251 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-32251

Vulnerability Analysis

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) stems from insecure configuration of XML parsers within the Tolgee platform's translation file import functionality. The XML processing components handling Android XML resources and RESX files do not properly restrict external entity references, enabling XXE injection attacks.

When processing crafted translation files, the vulnerable parser resolves external entities defined within the XML document. This allows attackers to reference local files on the server (such as /etc/passwd or application configuration files), leading to unauthorized information disclosure. Additionally, attackers can craft entities pointing to internal network services, enabling SSRF attacks that could be used to scan internal infrastructure, access metadata services, or interact with other backend systems.

Root Cause

The root cause is the use of XML parsers (XMLInputFactory) without disabling dangerous features such as external entity resolution and DTD processing. The vulnerable code paths exist in the StringsdictFileProcessor.kt and ResxProcessor.kt files, which process Apple .stringsdict and Microsoft .resx translation files respectively.

Attack Vector

The attack requires an authenticated user with permissions to import translation files into a Tolgee project. The attacker uploads a maliciously crafted XML file containing external entity declarations. When the server processes the import, it resolves these entities, potentially reading local files or making HTTP requests to attacker-specified endpoints.

text
// Security patch in StringsdictFileProcessor.kt
// Source: https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5

 import io.tolgee.formats.apple.`in`.guessNamespaceFromPath
 import io.tolgee.formats.importCommon.ImportFormat
 import io.tolgee.service.dataImport.processors.FileProcessorContext
-import javax.xml.stream.XMLInputFactory
+import io.tolgee.util.XmlSecurity
 import javax.xml.stream.events.StartElement
 
 open class StringsdictFileProcessor(
text
// Security patch in ResxProcessor.kt
// Source: https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5

 import io.tolgee.formats.importCommon.ImportFormat
 import io.tolgee.formats.resx.ResxEntry
 import io.tolgee.service.dataImport.processors.FileProcessorContext
+import io.tolgee.util.XmlSecurity
 import javax.xml.stream.XMLEventReader
-import javax.xml.stream.XMLInputFactory
 
 class ResxProcessor(
   override val context: FileProcessorContext,

The fix introduces a centralized XmlSecurity utility class that properly configures XML parsers with secure defaults, disabling external entity processing and DTD support.

Detection Methods for CVE-2026-32251

Indicators of Compromise

  • Unusual file import requests containing XML documents with DOCTYPE declarations or ENTITY definitions
  • Server logs showing attempts to access sensitive files like /etc/passwd, /etc/shadow, or application configuration files during import operations
  • Outbound HTTP/HTTPS requests from the Tolgee server to unexpected internal or external endpoints

Detection Strategies

  • Monitor translation file import endpoints for XML payloads containing external entity declarations or DOCTYPE definitions
  • Implement web application firewall (WAF) rules to detect and block XXE payloads in uploaded files
  • Review application logs for errors related to XML parsing or entity resolution failures

Monitoring Recommendations

  • Enable detailed logging for the Tolgee translation import functionality to capture all file processing activities
  • Configure alerting on any network connections initiated by the Tolgee server to internal services during file import operations
  • Implement file integrity monitoring on sensitive configuration files that could be targeted by XXE attacks

How to Mitigate CVE-2026-32251

Immediate Actions Required

  • Upgrade Tolgee Platform to version 3.166.3 or later immediately
  • Review import permissions and restrict translation file import capabilities to trusted users only
  • Audit recent import activity logs for any suspicious XML file uploads

Patch Information

The vulnerability has been fixed in Tolgee version 3.166.3. The fix introduces a centralized XmlSecurity utility that properly configures all XML parsers with secure settings, disabling external entity processing and DTD support. Organizations should update their Tolgee installations by pulling the latest release from the official GitHub repository. Additional details about the vulnerability and fix can be found in the GitHub Security Advisory GHSA-rcvv-64pq-vxfx.

Workarounds

  • Temporarily disable translation file import functionality until the patch can be applied
  • Implement network-level restrictions to prevent the Tolgee server from making outbound connections to internal services
  • Use a reverse proxy or WAF to filter incoming requests and block XML files containing DOCTYPE or ENTITY declarations
bash
# Example: Restrict outbound connections from Tolgee container using iptables
# Block outbound connections to internal network ranges during import operations
iptables -A OUTPUT -p tcp -d 10.0.0.0/8 -m owner --uid-owner tolgee -j DROP
iptables -A OUTPUT -p tcp -d 172.16.0.0/12 -m owner --uid-owner tolgee -j DROP
iptables -A OUTPUT -p tcp -d 192.168.0.0/16 -m owner --uid-owner tolgee -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne