CVE-2026-33229
Received Received - Intake
Sandbox Bypass in XWiki Velocity API Allows Arbitrary Code Execution

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-05-07
AI Q&A
2026-04-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33229
EUVD
EUVD-2026-20478
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xwiki xwiki From 17.0.0 (inc) to 17.4.8 (exc)
xwiki xwiki From 17.5.0 (inc) to 17.10.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33229 is a high-severity remote code execution vulnerability in the XWiki platform affecting the Velocity scripting API.

The issue arises because the scripting API is improperly protected, allowing any user with the "script right" permission to bypass the sandbox restrictions of the Velocity scripting environment.

This bypass enables execution of arbitrary scripts, including Python, leading to full compromise of the XWiki instance’s confidentiality, integrity, and availability.

The vulnerability is fixed in versions 17.4.8 and 17.10.1 by requiring the "programming right" permission to access the affected scripting API, thereby restricting access more strictly.


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker with the "script right" permission to execute arbitrary scripts on the XWiki instance.

This can lead to a full compromise of the system, affecting confidentiality, integrity, and availability of the entire XWiki instance.

  • Confidentiality: Unauthorized access to sensitive data.
  • Integrity: Unauthorized modification or deletion of data.
  • Availability: Potential disruption or denial of service of the XWiki platform.

Because the vulnerability can be exploited remotely over the network with low complexity and no user interaction, it poses a significant risk if the "script right" permission is granted to untrusted users.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises when a user with the 'script right' permission can bypass the sandboxing of the Velocity scripting API to execute arbitrary scripts. Detection involves identifying if any users have the 'script right' permission and if the XWiki platform version is vulnerable (prior to 17.4.8 and 17.10.1).

Since the vulnerability requires high privileges and specific versions, you can detect it by checking the XWiki platform version and reviewing user permissions.

  • Check the XWiki platform version to see if it is older than 17.4.8 or 17.10.1.
  • Audit users with the 'script right' permission to ensure no untrusted users have this high-level access.
  • Look for unusual script executions or logs indicating bypass of Velocity sandboxing.

Specific commands depend on your environment, but examples include:

  • Using database queries or XWiki API calls to list users with 'script right' permission.
  • Checking the installed XWiki version via the application interface or command line.
  • Reviewing application logs for suspicious script execution attempts.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the XWiki platform to a fixed version and managing user permissions carefully.

  • Upgrade XWiki Platform to version 17.4.8 or 17.10.1 or later, where the vulnerability is patched.
  • Restrict the 'script right' permission to only fully trusted users, as this permission allows bypassing the Velocity scripting sandbox.
  • Ensure that only users with the 'programming right' permission can access the scripting API, as enforced in the patched versions.
  • Monitor logs for any suspicious script execution attempts and revoke permissions if unauthorized activity is detected.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows users with the 'script right' permission to bypass sandbox restrictions and execute arbitrary scripts, leading to full compromise of the XWiki instance's confidentiality, integrity, and availability.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of sensitive data and system integrity.

Because the vulnerability enables unauthorized access and control over the system, it could lead to unauthorized disclosure or alteration of protected information, violating confidentiality and integrity requirements mandated by these regulations.

Mitigation involves restricting the 'script right' permission to trusted users only and applying patches that enforce stricter authorization checks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart