Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32251 is an XML External Entity (XXE) injection vulnerability in the Tolgee localization platform's XML import functionality. The XML parsers used for importing Android XML resources and .resx files do not disable external entity processing, allowing an authenticated user with import permissions to craft malicious XML files. These files can exploit the parser to read arbitrary files on the server or make server-side requests to internal services."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the XML parsers do not have security features enabled that prevent processing of external entities and DTDs, which are commonly exploited in XXE attacks.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including unauthorized disclosure of sensitive server files such as configuration files, database credentials, JWT secrets, API keys, and environment variables.'}, {'type': 'paragraph', 'content': 'It also enables server-side request forgery (SSRF), allowing attackers to make requests to internal services or cloud metadata endpoints, potentially leading to further compromise.'}, {'type': 'paragraph', 'content': "Since the attack requires only import permissions on any project, it is a low-privilege but highly impactful vulnerability that can lead to unauthorized access to other tenants' data if credentials are exposed."}] [2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious XML import activities where external entity declarations are present in translation files being imported. Since the exploit requires an authenticated user to import crafted XML files, reviewing import logs for unusual or unexpected XML content is important.'}, {'type': 'paragraph', 'content': 'Specifically, you can check for XML files containing DOCTYPE declarations or external entity references that might be used to exploit the XXE vulnerability.'}, {'type': 'paragraph', 'content': 'While no direct commands are provided in the resources, a practical approach is to scan imported XML files for patterns like "<!DOCTYPE" or "SYSTEM" that indicate external entity usage.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for DOCTYPE declarations in imported files: grep -r '<!DOCTYPE' /path/to/imported/files"}, {'type': 'list_item', 'content': 'Monitor application logs for errors or unusual requests related to XML imports.'}, {'type': 'list_item', 'content': 'Check for unexpected outbound requests from the server that could indicate SSRF attempts triggered by XXE.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade the Tolgee platform to version 3.166.3 or later, where the vulnerability is fixed by disabling external entity processing in all XML parsers used for importing translation files.

If upgrading is not immediately possible, ensure that XML parsers used in the import process are configured to disable external entity processing and DTD support by setting the following properties:

• For XMLInputFactory (StAX): set IS_SUPPORTING_EXTERNAL_ENTITIES = false and SUPPORT_DTD = false.
• For DocumentBuilderFactory (DOM): enable FEATURE_SECURE_PROCESSING, disallow DOCTYPE declarations, and disable external general and parameter entities.

Additionally, restrict import permissions to trusted users only, monitor import activities closely, and audit imported XML files for malicious content.

Useful 0 Not Useful 0