CVE-2026-42140 Overview
CVE-2026-42140 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in the PlantUML Macro extension for XWiki. The macro renders UML diagrams from textual schemes and accepts an alternative PlantUML server through a server parameter. Versions prior to 2.4.1 fail to validate the supplied URL, allowing attackers to point the server-side request to internal IP addresses or arbitrary external endpoints. The XWiki server then attempts to connect to the attacker-controlled URL while attempting to render the diagram. Maintainers patched this issue in version 2.4.1 by introducing a known-domains check.
Critical Impact
An authenticated XWiki user can coerce the server to issue HTTP requests to internal services, enabling reconnaissance of internal networks and limited interaction with non-public endpoints.
Affected Products
- XWiki Contrib PlantUML Macro versions prior to 2.4.1
- XWiki instances with the macro-plantuml extension installed
- Deployments exposing the PlantUML macro to authenticated users
Discovery Timeline
- 2026-05-04 - CVE-2026-42140 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42140
Vulnerability Analysis
The PlantUML Macro lets users override the default rendering server through a server parameter inside the macro syntax. The XWiki backend takes this value, builds an HTTP request, and contacts the supplied host to fetch the rendered diagram. Because the macro performs no allow-list or scheme validation on the URL, the request executes against any host reachable from the XWiki server, including loopback addresses, link-local metadata endpoints, and internal services.
This behavior matches the classic SSRF [CWE-918] pattern. An attacker with permission to edit a wiki page can embed a PlantUML macro that targets internal infrastructure such as http://127.0.0.1:8080, http://169.254.169.254/latest/meta-data/, or unauthenticated administrative endpoints. The server's response or timing differences can leak information about the internal network topology.
Root Cause
The macro accepts a user-controlled URL through the server parameter and passes it directly to the HTTP client without validating the host, port, or scheme. No allow-list of trusted PlantUML servers existed before version 2.4.1, and the application did not block requests targeting private address ranges.
Attack Vector
Exploitation requires an authenticated user with edit rights on a wiki page and user interaction to render the page. The attacker creates a page containing a PlantUML macro that sets the server parameter to an internal or attacker-controlled URL. When the page renders, the XWiki backend issues the outbound request from its own network position.
// Patch excerpt - macro-plantuml-macro/src/main/java/org/xwiki/contrib/plantuml/internal/PlantUMLMacro.java
package org.xwiki.contrib.plantuml.internal;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
Source: GitHub Commit c8b19bd
The patch introduces java.net.URL parsing and a domain check, and adds a dependency on xwiki-platform-url-api for centralized URL validation.
Detection Methods for CVE-2026-42140
Indicators of Compromise
- Outbound HTTP requests originating from the XWiki server process to private address ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8.
- Requests from XWiki to cloud metadata endpoints, including 169.254.169.254 and metadata.google.internal.
- Wiki page revisions containing PlantUML macros with a non-default server parameter pointing outside trusted PlantUML hosts.
Detection Strategies
- Review XWiki page history for {{plantuml server=...}} macro instances and flag any non-standard endpoints.
- Inspect the XWiki application logs for HTTP client errors referencing internal hostnames or unusual ports.
- Correlate egress proxy logs with the XWiki server identity to surface unexpected destinations triggered by macro rendering.
Monitoring Recommendations
- Deploy egress filtering and alert on any outbound traffic from the XWiki host that targets internal subnets or cloud metadata services.
- Track installed extension versions and alert when macro-plantuml reports a version below 2.4.1.
- Monitor authenticated-user activity on wiki pages, focusing on edits that introduce or modify PlantUML macros.
How to Mitigate CVE-2026-42140
Immediate Actions Required
- Upgrade the PlantUML Macro extension to version 2.4.1 or later through the XWiki Extension Manager.
- Restrict edit permissions on wiki pages to trusted users until the upgrade is verified in production.
- Audit existing pages for PlantUML macros referencing untrusted server values and remove or sanitize them.
Patch Information
The fix is committed in GitHub Commit c8b19bd and described in GHSA-42fc-7w97-8vrc. Tracking is available in Jira PLANTUML-25. Version 2.4.1 introduces URL parsing through java.net.URL and validates the supplied host against a known-domains list using the xwiki-platform-url-api component.
Workarounds
- Block outbound traffic from the XWiki server to internal subnets and cloud metadata IPs at the network firewall.
- Configure an HTTP egress proxy with an allow-list of trusted PlantUML rendering hosts.
- Disable the PlantUML Macro extension until the patched version is deployed if business requirements allow.
# Example iptables egress rule blocking access to AWS instance metadata from the XWiki host
iptables -A OUTPUT -m owner --uid-owner xwiki -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner xwiki -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner xwiki -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner xwiki -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
