CVE-2026-33229
Received Received - Intake
Sandbox Bypass in XWiki Velocity API Allows Arbitrary Code Execution

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33229
EUVD
EUVD-2026-20478
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xwiki xwiki From 17.0.0 (inc) to 17.4.8 (exc)
xwiki xwiki From 17.5.0 (inc) to 17.10.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows users with the 'script right' permission to bypass sandbox restrictions and execute arbitrary scripts, leading to full compromise of the XWiki instance's confidentiality, integrity, and availability.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of sensitive data and system integrity.

Because the vulnerability enables unauthorized access and control over the system, it could lead to unauthorized disclosure or alteration of protected information, violating confidentiality and integrity requirements mandated by these regulations.

Mitigation involves restricting the 'script right' permission to trusted users only and applying patches that enforce stricter authorization checks.

Executive Summary

CVE-2026-33229 is a high-severity remote code execution vulnerability in the XWiki platform affecting the Velocity scripting API.

The issue arises because the scripting API is improperly protected, allowing any user with the "script right" permission to bypass the sandbox restrictions of the Velocity scripting environment.

This bypass enables execution of arbitrary scripts, including Python, leading to full compromise of the XWiki instance’s confidentiality, integrity, and availability.

The vulnerability is fixed in versions 17.4.8 and 17.10.1 by requiring the "programming right" permission to access the affected scripting API, thereby restricting access more strictly.

Impact Analysis

If exploited, this vulnerability allows an attacker with the "script right" permission to execute arbitrary scripts on the XWiki instance.

This can lead to a full compromise of the system, affecting confidentiality, integrity, and availability of the entire XWiki instance.

  • Confidentiality: Unauthorized access to sensitive data.
  • Integrity: Unauthorized modification or deletion of data.
  • Availability: Potential disruption or denial of service of the XWiki platform.

Because the vulnerability can be exploited remotely over the network with low complexity and no user interaction, it poses a significant risk if the "script right" permission is granted to untrusted users.

Detection Guidance

This vulnerability arises when a user with the 'script right' permission can bypass the sandboxing of the Velocity scripting API to execute arbitrary scripts. Detection involves identifying if any users have the 'script right' permission and if the XWiki platform version is vulnerable (prior to 17.4.8 and 17.10.1).

Since the vulnerability requires high privileges and specific versions, you can detect it by checking the XWiki platform version and reviewing user permissions.

  • Check the XWiki platform version to see if it is older than 17.4.8 or 17.10.1.
  • Audit users with the 'script right' permission to ensure no untrusted users have this high-level access.
  • Look for unusual script executions or logs indicating bypass of Velocity sandboxing.

Specific commands depend on your environment, but examples include:

  • Using database queries or XWiki API calls to list users with 'script right' permission.
  • Checking the installed XWiki version via the application interface or command line.
  • Reviewing application logs for suspicious script execution attempts.
Mitigation Strategies

Immediate mitigation steps include upgrading the XWiki platform to a fixed version and managing user permissions carefully.

  • Upgrade XWiki Platform to version 17.4.8 or 17.10.1 or later, where the vulnerability is patched.
  • Restrict the 'script right' permission to only fully trusted users, as this permission allows bypassing the Velocity scripting sandbox.
  • Ensure that only users with the 'programming right' permission can access the scripting API, as enforced in the patched versions.
  • Monitor logs for any suspicious script execution attempts and revoke permissions if unauthorized activity is detected.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart