CVE-2026-40104 Overview
CVE-2026-40104 is a resource exhaustion vulnerability affecting XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. The vulnerability exists in REST API endpoints that list all available pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources, leading to denial of service conditions.
Critical Impact
Unauthenticated attackers can trigger resource exhaustion on XWiki servers by accessing vulnerable REST API endpoints, potentially causing service unavailability for legitimate users.
Affected Products
- XWiki Platform versions from 1.8-rc-1 and prior
- XWiki Platform versions from 17.0.0-rc-1 and prior
- XWiki Platform versions from 17.5.0-rc-1 and prior
Discovery Timeline
- April 15, 2026 - CVE-2026-40104 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40104
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw resides in specific REST API endpoints within XWiki Platform that handle metadata retrieval for database list properties.
When a request is made to vulnerable endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, the system attempts to enumerate and return all available wiki pages as part of the response metadata. The critical issue is that no query limits or pagination controls are applied to this enumeration process.
On wikis with a large number of pages, this unbounded query can consume excessive memory and CPU resources as the server attempts to compile and serialize a potentially massive dataset. This creates a denial of service condition where legitimate users may be unable to access the wiki due to resource starvation.
Root Cause
The root cause of this vulnerability is improper resource allocation in the REST API's property metadata retrieval logic. The code responsible for fetching database list property options fails to implement pagination or result set limits, allowing unbounded data retrieval operations. This design flaw violates secure coding principles that mandate resource consumption controls for operations that could scale with data size.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests to the vulnerable REST API endpoints. The attack is particularly effective against large XWiki installations where the number of pages is substantial.
The exploitation is straightforward: an attacker identifies a vulnerable XWiki instance and crafts requests to the affected REST endpoints. Each request forces the server to enumerate all wiki pages without limits, consuming server resources. By sending multiple concurrent requests, an attacker can amplify the impact and potentially bring down the wiki service entirely.
For technical details on the vulnerability and the patch implementation, refer to the GitHub Security Advisory and the commit that addresses this issue.
Detection Methods for CVE-2026-40104
Indicators of Compromise
- Unusual spikes in memory or CPU utilization on XWiki servers
- Increased response times or timeouts for REST API requests
- Multiple requests to /xwiki/rest/wikis/*/spaces/*/pages/*/objects/*/properties endpoints from single IP addresses
- Server logs showing large response payloads from property metadata endpoints
Detection Strategies
- Monitor REST API access logs for repeated requests to property metadata endpoints
- Implement rate limiting detection rules for requests to /xwiki/rest/ endpoints
- Configure alerting thresholds for abnormal resource consumption patterns on XWiki servers
- Deploy web application firewalls with rules to detect and block rapid sequential API requests
Monitoring Recommendations
- Enable detailed logging for XWiki REST API endpoints to capture request patterns
- Set up server resource monitoring with alerts for memory and CPU usage exceeding normal baselines
- Implement connection tracking to identify sources generating excessive API requests
- Review access logs regularly for patterns consistent with resource exhaustion attacks
How to Mitigate CVE-2026-40104
Immediate Actions Required
- Upgrade XWiki Platform to patched versions 16.10.16, 17.4.8, or 17.10.1 immediately
- Implement rate limiting on REST API endpoints as a temporary measure
- Consider restricting access to REST API endpoints using authentication requirements or IP allowlists
- Monitor server resources closely until patches can be applied
Patch Information
XWiki has released security patches addressing this vulnerability in versions 16.10.16, 17.4.8, and 17.10.1. The fix implements proper query limits for database list property metadata retrieval, preventing unbounded resource consumption.
Detailed patch information is available through the following resources:
Workarounds
- Deploy a reverse proxy or web application firewall to rate-limit requests to REST API endpoints
- Restrict access to the /xwiki/rest/ path to authenticated users only if business requirements permit
- Implement network-level access controls to limit REST API access to trusted IP ranges
- Consider temporarily disabling the AnnotationCode features if not actively used
# Example nginx rate limiting configuration for XWiki REST API
# Add to your nginx server configuration
limit_req_zone $binary_remote_addr zone=xwiki_rest:10m rate=10r/s;
location /xwiki/rest/ {
limit_req zone=xwiki_rest burst=20 nodelay;
limit_req_status 429;
proxy_pass http://xwiki_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
