CVE-2026-33137 Overview
CVE-2026-33137 is a critical missing authorization vulnerability [CWE-862] in the XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. The POST /wikis/{wikiName} REST API endpoint executes a XAR (XWiki Archive) import without performing any authentication or authorization checks. An unauthenticated remote attacker can create or update arbitrary documents in the target wiki, leading to content tampering and potential code execution through malicious XAR payloads. The vulnerability affects XWiki versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17.
Critical Impact
Unauthenticated attackers can import arbitrary XAR packages over the network, allowing creation or modification of wiki documents with no credentials required.
Affected Products
- XWiki Platform versions prior to 16.10.17
- XWiki Platform 17.x prior to 17.4.9 and 17.10.3
- XWiki Platform 18.x prior to 18.0.1 and 18.1.0-rc-1
Discovery Timeline
- 2026-05-20 - CVE-2026-33137 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-33137
Vulnerability Analysis
The vulnerability resides in WikiResourceImpl.java, the REST resource handler for the /wikis/{wikiName} endpoint within the xwiki-platform-rest-server module. The POST method on this endpoint accepts XAR archive uploads and triggers a wiki import operation. The handler dispatched directly to the import logic without consulting the ContextualAuthorizationManager to verify that the caller held the required Right for write operations on the target wiki.
Because the request never passes through an authentication or authorization gate, any network-reachable attacker can submit a crafted XAR file. XAR archives are XML-based packages that describe wiki pages, attachments, objects, and metadata. Importing a malicious XAR can overwrite existing pages, inject privileged scripts via wiki objects, or stage further exploitation chains within the XWiki application.
Root Cause
The root cause is missing authorization [CWE-862] on a state-changing REST endpoint. The XAR import handler trusted the request context and performed no rights check before mutating wiki content. The patch introduces explicit calls to ContextualAuthorizationManager to enforce the appropriate Right and raise AccessDeniedException for unauthorized callers.
Attack Vector
Exploitation requires only network access to the XWiki REST API. An attacker sends an HTTP POST request to /wikis/{wikiName} with a crafted XAR archive in the body. No credentials, user interaction, or prior foothold are required. The attacker can then create administrative pages or replace existing documents, depending on the contents of the imported archive.
import org.xwiki.rest.internal.DomainObjectFactory;
import org.xwiki.rest.model.jaxb.Wiki;
import org.xwiki.rest.resources.wikis.WikiResource;
+import org.xwiki.security.authorization.AccessDeniedException;
+import org.xwiki.security.authorization.ContextualAuthorizationManager;
+import org.xwiki.security.authorization.Right;
import org.xwiki.wiki.descriptor.WikiDescriptorManager;
import org.xwiki.wiki.manager.WikiManagerException;
Source: XWiki Platform Security Patch Commit 4b7b95b
The diff shows the addition of imports for AccessDeniedException, ContextualAuthorizationManager, and Right, which the patched WikiResourceImpl uses to enforce authorization before processing XAR imports.
Detection Methods for CVE-2026-33137
Indicators of Compromise
- Unauthenticated HTTP POST requests to /wikis/{wikiName} endpoints in XWiki access logs, especially with Content-Type headers indicating XAR or ZIP payloads.
- Unexpected creation or modification of wiki pages with administrative privileges or embedded Groovy, Velocity, or Python script macros.
- New or modified XWiki.XWikiRights objects granting elevated permissions following an import event.
Detection Strategies
- Inspect XWiki access logs for POST requests to /wikis/* originating from anonymous sessions or unexpected source IPs.
- Correlate XAR import events in XWiki application logs with document revision history to identify imports performed without an authenticated principal.
- Compare wiki document checksums against known-good baselines to flag unauthorized mass page modifications.
Monitoring Recommendations
- Enable verbose REST API logging and forward logs to a centralized SIEM for retention and correlation.
- Alert on bulk document creation or revision events occurring within a short time window.
- Monitor outbound network connections from the XWiki JVM process, which may indicate post-exploitation activity following a malicious import.
How to Mitigate CVE-2026-33137
Immediate Actions Required
- Upgrade XWiki Platform to a patched release: 16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1.
- Restrict network access to the XWiki REST API by placing the application behind an authenticated reverse proxy until patching completes.
- Audit wiki document revisions and XWikiRights objects for unauthorized changes created prior to remediation.
Patch Information
The fix is committed in xwiki-platform commit 4b7b95b, tracked in XWIKI-23953, and documented in GHSA-qrvh-r3f2-9h4r. The patch enforces a ContextualAuthorizationManager rights check on the WikiResourceImpl POST handler before any XAR import is performed.
Workarounds
- Block POST requests to the /wikis/{wikiName} REST endpoint at the web server or reverse proxy layer if upgrading immediately is not feasible.
- Require client certificate or basic authentication at the proxy for all /rest/wikis/* paths.
- Disable the REST API entirely for environments that do not require programmatic access until the patched version is deployed.
# Example nginx rule to block unauthenticated XAR imports
location ~ ^/xwiki/rest/wikis/[^/]+$ {
limit_except GET {
auth_basic "XWiki Admin";
auth_basic_user_file /etc/nginx/.xwiki_htpasswd;
}
proxy_pass http://xwiki_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
