CVE-2026-43646 Overview
CVE-2026-43646 is an information disclosure vulnerability in Apache Wicket, a Java-based component-oriented web application framework. The flaw exposes sensitive information to unauthorized actors over the network without requiring authentication or user interaction. The issue is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
The vulnerability affects Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0 through 9.22.0, and 10.0.0 through 10.8.0. The Apache Wicket project has released version 10.9.0 to remediate the issue.
Critical Impact
Remote attackers can retrieve sensitive application data over the network without authentication, undermining the confidentiality of affected Wicket-based web applications.
Affected Products
- Apache Wicket 8.0.0 through 8.17.0
- Apache Wicket 9.0.0 through 9.22.0
- Apache Wicket 10.0.0 through 10.8.0
Discovery Timeline
- 2026-05-06 - CVE-2026-43646 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Apache Software Foundation publishes advisory on the Apache Mailing List
- 2026-05-06 - Issue announced on the Openwall OSS-Security list
- 2026-05-06 - Last updated in the NVD database
Technical Details for CVE-2026-43646
Vulnerability Analysis
Apache Wicket is a server-side Java framework that maps HTTP requests to stateful component trees. CVE-2026-43646 allows a network-based attacker to obtain sensitive information from an application built on a vulnerable Wicket release. The flaw requires no privileges and no user interaction, and it can be triggered through standard HTTP request paths exposed by the framework.
The issue affects only the confidentiality of the application. Integrity and availability are not impacted, and the vulnerability does not provide a primitive for code execution. However, leaked data may include application state, session-related artifacts, or framework internals that aid follow-on attacks against authentication, authorization, or business logic.
At the time of publication, the EPSS probability is 0.062% (19.1 percentile), and there is no public proof-of-concept exploit, no Exploit-DB entry, and no listing in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper restriction of access to sensitive data handled by the Wicket framework, consistent with [CWE-200]. The Apache Wicket project has not published technical internals beyond the advisory, but the fix is shipped in version 10.9.0. Refer to the Apache advisory for the authoritative description.
Attack Vector
The attack vector is network-based. An unauthenticated remote attacker sends crafted HTTP requests to a vulnerable Wicket-based application and reads sensitive content from the response. Because exploitation occurs through normal web traffic, the requests blend with legitimate application use and may not stand out in conventional access logs.
No verified proof-of-concept code is publicly available. See the Openwall OSS-Security announcement for vendor-supplied technical context.
Detection Methods for CVE-2026-43646
Indicators of Compromise
- Unexpected HTTP responses from Wicket endpoints containing internal application data, stack traces, or component identifiers not intended for clients.
- Repeated probing of Wicket-managed URLs (typically containing wicket/ path segments or ?wicket- query parameters) from a single source.
- Anomalous response sizes for Wicket resource or page requests when compared to historical baselines.
Detection Strategies
- Inventory all running Apache Wicket instances and compare deployed versions against the vulnerable ranges (8.0.0–8.17.0, 9.0.0–9.22.0, 10.0.0–10.8.0).
- Inspect web server and application logs for unusual access patterns against Wicket-handled paths, particularly from unauthenticated sessions.
- Apply web application firewall (WAF) rules to flag requests that target Wicket internals and produce abnormally large or sensitive responses.
Monitoring Recommendations
- Centralize HTTP access and application logs from all Wicket-based services and alert on spikes in 200-OK responses tied to framework-internal URLs.
- Track outbound response payload sizes for Wicket endpoints and investigate statistical outliers.
- Subscribe to the Apache Wicket announcements to receive future security advisories promptly.
How to Mitigate CVE-2026-43646
Immediate Actions Required
- Upgrade Apache Wicket to version 10.9.0 or later, as recommended by the Apache Software Foundation.
- Identify all internally and externally exposed applications that bundle Wicket as a dependency, including transitive inclusions in WAR and uber-JAR artifacts.
- Restrict network access to non-public Wicket applications until patching is complete.
Patch Information
The Apache Wicket project has fixed CVE-2026-43646 in version 10.9.0. Users on the 8.x and 9.x branches should upgrade to 10.9.0, since no fixed releases are listed for those branches in the advisory. Patch metadata is available in the Apache mailing list advisory and the Openwall OSS-Security update.
Workarounds
- Place vulnerable Wicket applications behind a WAF or reverse proxy that filters requests targeting framework-internal endpoints until the upgrade is deployed.
- Disable or restrict access to non-essential Wicket pages and resources that handle sensitive state.
- Enforce authentication on all routes that surface application data, even if the routes are considered internal.
# Example Maven dependency upgrade to the fixed version
mvn versions:use-dep-version \
-Dincludes=org.apache.wicket:wicket-core \
-DdepVersion=10.9.0 \
-DforceVersion=true
# Verify resolved version
mvn dependency:tree | grep wicket
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
