CVE-2026-40104
Resource Exhaustion in XWiki REST API Causes Server Overload
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 17.0.0 (inc) to 17.4.8 (exc) |
| xwiki | xwiki | From 17.5.0 (inc) to 17.10.1 (exc) |
| xwiki | xwiki | From 1.8 (inc) to 16.10.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-40104 causes resource exhaustion on the server by allowing unrestricted queries that list all pages and spaces in large wikis. However, it does not impact confidentiality or integrity of data, only availability with a low impact.
Since the vulnerability does not affect confidentiality or integrity of personal or sensitive data, it does not directly compromise compliance with standards like GDPR or HIPAA, which primarily focus on protecting data privacy and integrity.
The main impact is on availability, which could potentially affect service uptime but does not imply unauthorized data access or disclosure.
Therefore, while the vulnerability could cause service disruption, it does not inherently violate data protection regulations related to confidentiality or integrity.
Can you explain this vulnerability to me?
CVE-2026-40104 is a resource exhaustion vulnerability in the XWiki Platform affecting certain versions. The issue occurs in REST API endpoints that list all available pages as part of metadata for database list properties without applying any query limits. This unrestricted listing can cause the server to exhaust its resources, especially on large wikis.
The root cause is that the platform allocates resources without limits or throttling, allowing queries to return an unlimited number of items. This can lead to excessive resource consumption.
The vulnerability has been fixed by modifying the system to respect a configurable query limit, preventing queries from returning more items than allowed by security configuration.
How can this vulnerability impact me? :
This vulnerability can impact you by causing resource exhaustion on the server hosting the XWiki platform. When exploited, the REST API endpoints can generate queries that return an unlimited number of items, which can consume excessive server resources.
On large wikis, this can lead to service unavailability or degraded performance, as the server may run out of memory or processing capacity.
The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves resource exhaustion through specific REST API endpoints in the XWiki platform that list all pages without query limits. Detection can focus on monitoring unusual or excessive requests to these endpoints.
You can detect potential exploitation by inspecting web server logs or using network monitoring tools to identify repeated or large requests to REST API endpoints such as: /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties
Example commands to detect such activity include:
- Using grep on server logs to find requests to the vulnerable endpoint: grep "/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties" /var/log/apache2/access.log
- Using curl to manually test the endpoint and observe response size or latency: curl -v https://your-xwiki-server/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties
- Using network monitoring tools (e.g., Wireshark or tcpdump) to capture and analyze traffic targeting the REST API endpoints.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade the XWiki platform to a patched version where the vulnerability is fixed.
- Upgrade to version 16.10.16, 17.4.8, 17.10.1 or later, where query limits are properly enforced on database list properties to prevent resource exhaustion.
No known workarounds exist other than upgrading. Until the upgrade is applied, consider limiting access to the vulnerable REST API endpoints via network controls or web application firewalls to reduce exposure.