Executive Summary

CVE-2026-40104 is a resource exhaustion vulnerability in the XWiki Platform affecting certain versions. The issue occurs in REST API endpoints that list all available pages as part of metadata for database list properties without applying any query limits. This unrestricted listing can cause the server to exhaust its resources, especially on large wikis.

The root cause is that the platform allocates resources without limits or throttling, allowing queries to return an unlimited number of items. This can lead to excessive resource consumption.

The vulnerability has been fixed by modifying the system to respect a configurable query limit, preventing queries from returning more items than allowed by security configuration.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing resource exhaustion on the server hosting the XWiki platform. When exploited, the REST API endpoints can generate queries that return an unlimited number of items, which can consume excessive server resources.

On large wikis, this can lead to service unavailability or degraded performance, as the server may run out of memory or processing capacity.

The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves resource exhaustion through specific REST API endpoints in the XWiki platform that list all pages without query limits. Detection can focus on monitoring unusual or excessive requests to these endpoints.

You can detect potential exploitation by inspecting web server logs or using network monitoring tools to identify repeated or large requests to REST API endpoints such as: /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties

Example commands to detect such activity include:

• Using grep on server logs to find requests to the vulnerable endpoint: grep "/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties" /var/log/apache2/access.log
• Using curl to manually test the endpoint and observe response size or latency: curl -v https://your-xwiki-server/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties
• Using network monitoring tools (e.g., Wireshark or tcpdump) to capture and analyze traffic targeting the REST API endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade the XWiki platform to a patched version where the vulnerability is fixed.

• Upgrade to version 16.10.16, 17.4.8, 17.10.1 or later, where query limits are properly enforced on database list properties to prevent resource exhaustion.

No known workarounds exist other than upgrading. Until the upgrade is applied, consider limiting access to the vulnerable REST API endpoints via network controls or web application firewalls to reduce exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability described in CVE-2026-40104 causes resource exhaustion on the server by allowing unrestricted queries that list all pages and spaces in large wikis. However, it does not impact confidentiality or integrity of data, only availability with a low impact.

Since the vulnerability does not affect confidentiality or integrity of personal or sensitive data, it does not directly compromise compliance with standards like GDPR or HIPAA, which primarily focus on protecting data privacy and integrity.

The main impact is on availability, which could potentially affect service uptime but does not imply unauthorized data access or disclosure.

Therefore, while the vulnerability could cause service disruption, it does not inherently violate data protection regulations related to confidentiality or integrity.

Useful 0 Not Useful 0