CVE-2026-38429 Overview
CVE-2026-38429 is an XML External Entity (XXE) vulnerability affecting OpenCMS v20 and earlier. The flaw exists in the Admin Import DB feature, which parses user-supplied .zip archives containing a manifest.xml file. The XML parser does not disable external entity resolution, allowing attackers to inject malicious entity references during import operations. This vulnerability is classified under [CWE-611] Improper Restriction of XML External Entity Reference.
Critical Impact
Network-accessible attackers can exploit the XXE flaw to read arbitrary files on the server, perform server-side request forgery (SSRF), and potentially achieve remote code execution through the Admin Import DB functionality.
Affected Products
- OpenCMS v20
- OpenCMS versions prior to v20
- Alkacon OpenCMS Core (opencms-core)
Discovery Timeline
- 2026-05-05 - CVE-2026-38429 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-38429
Vulnerability Analysis
The vulnerability resides in the OpenCMS import/export subsystem, specifically in the legacy import handlers CmsImportVersion2.java and CmsImportVersion3.java. When an administrator uploads a .zip archive through the Admin Import DB feature, OpenCMS extracts the embedded manifest.xml and parses it using a default XML parser configuration. The parser does not register a secure entity resolver, leaving external entity processing enabled.
Attackers craft a malicious manifest.xml containing external entity declarations that reference local files (using file:// URIs) or remote URLs (using http:// URIs). The parser dereferences these entities during processing, returning their contents through error messages or log output, or triggering outbound network requests from the OpenCMS server.
Root Cause
The root cause is the absence of a hardened XML parser configuration in the legacy import handlers. The patched code introduces CmsXmlEntityResolver, a project-specific resolver that blocks external entity resolution at parse time. Without this resolver, the underlying SAX or DOM parser falls back to default behavior, which permits inline DOCTYPE declarations and external entity expansion.
Attack Vector
Exploitation requires network access to the OpenCMS administrative interface and the ability to submit an import archive. An attacker with valid administrative credentials, or one who has compromised an administrator session, uploads a crafted .zip containing a malicious manifest.xml. Upon import, the server-side parser resolves the external entities, exposing sensitive file contents such as /etc/passwd, application configuration, or credential stores, and allowing internal network reconnaissance through SSRF.
import org.opencms.security.I_CmsPasswordHandler;
import org.opencms.util.CmsStringUtil;
import org.opencms.util.CmsUUID;
+import org.opencms.xml.CmsXmlEntityResolver;
import org.opencms.xml.CmsXmlException;
import org.opencms.xml.CmsXmlUtils;
import org.opencms.xml.page.CmsXmlPage;
Source: OpenCMS Core Patch Commit — The patch imports CmsXmlEntityResolver into both CmsImportVersion2.java and CmsImportVersion3.java to block external entity resolution during legacy import operations.
Detection Methods for CVE-2026-38429
Indicators of Compromise
- Unexpected outbound network connections originating from the OpenCMS Java process to attacker-controlled hosts immediately after an Admin Import DB action.
- Presence of manifest.xml files containing <!DOCTYPE> declarations with SYSTEM or PUBLIC external entity references inside imported .zip archives.
- OpenCMS error logs containing fragments of local files such as /etc/passwd, web.xml, or property files referenced through XML entity expansion.
- Anomalous read access to sensitive filesystem paths by the OpenCMS service account.
Detection Strategies
- Inspect import archive contents at the web application firewall (WAF) layer for DOCTYPE and ENTITY keywords inside manifest.xml.
- Monitor the OpenCMS server for outbound DNS lookups or HTTP requests to non-allowlisted destinations correlated with administrative import events.
- Review audit logs for Admin Import DB operations performed by accounts that do not normally execute imports.
Monitoring Recommendations
- Enable verbose logging in the OpenCMS import subsystem and forward logs to a centralized SIEM for correlation.
- Alert on filesystem reads of sensitive system files by the Java runtime hosting OpenCMS.
- Track administrative session activity, including IP geolocation and user-agent anomalies, on the /system/workplace/ paths.
How to Mitigate CVE-2026-38429
Immediate Actions Required
- Upgrade OpenCMS to a version that includes commit e3e41e5a96d71383279e7d23c627efc9934008c1 or later, which registers CmsXmlEntityResolver in the legacy import handlers.
- Restrict access to the OpenCMS administration workplace to trusted source IP ranges using network controls or reverse proxy rules.
- Audit all administrator accounts and rotate credentials for any account suspected of being used to perform unauthorized imports.
Patch Information
Alkacon resolved the vulnerability in the OpenCMS Core security commit. The fix modifies src/org/opencms/importexport/CmsImportVersion2.java and src/org/opencms/importexport/CmsImportVersion3.java to import and apply CmsXmlEntityResolver, which prevents the XML parser from resolving external entities during manifest processing.
Workarounds
- Disable the Admin Import DB feature in production environments where it is not actively required.
- Place the OpenCMS administration interface behind a VPN or zero-trust access proxy to reduce exposure to unauthenticated network attackers.
- Implement upload validation that rejects .zip archives whose manifest.xml contains <!DOCTYPE or <!ENTITY declarations.
# Inspect a manifest.xml inside an OpenCMS import archive for XXE payloads
unzip -p import-bundle.zip manifest.xml | grep -E '<!DOCTYPE|<!ENTITY|SYSTEM|PUBLIC'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
