CVE-2026-23734
Path Traversal in XWiki Platform via SSX/JSX Endpoints
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki_platform | to 18.1.0-rc-1 (exc) |
| xwiki | xwiki_platform | 17.10.3 |
| xwiki | xwiki_platform | 17.4.9 |
| xwiki | xwiki_platform | 16.10.17 |
| xwiki | xwiki_commons | to 18.1.0-rc-1 (exc) |
| xwiki | xwiki_commons | 17.10.3 |
| xwiki | xwiki_commons | 17.4.9 |
| xwiki | xwiki_commons | 16.10.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23734 is a critical path traversal vulnerability in the XWiki Platform affecting the ssx and jsx endpoints. It allows attackers to read sensitive configuration files by exploiting the resources parameter with leading slashes. This enables unauthorized access to files such as /WEB-INF/xwiki.cfg via specially crafted URLs.
The vulnerability arises from improper input handling that permits directory traversal outside the intended restricted paths, classified as CWE-23 (Relative Path Traversal). It affects versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 and has been patched in these versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive configuration files through path traversal, which can lead to exposure of confidential information.
Such unauthorized data exposure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.
Failure to patch this vulnerability could result in breaches of confidentiality, potentially leading to regulatory penalties and loss of trust.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive configuration files, which may contain critical information about the system setup and credentials.
Because the vulnerability requires no privileges or user interaction to exploit, attackers can remotely access confidential data, potentially compromising confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access sensitive configuration files through the vulnerable endpoints using crafted URLs that exploit path traversal via the resources parameter.
For example, you can test the vulnerability by sending HTTP requests to the ssx or jsx endpoints with a URL similar to:
- http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false
If the server responds with the contents of the configuration file or any sensitive file outside the intended directory, the system is vulnerable.
You can use command-line tools like curl or wget to perform this test, for example:
- curl -i "http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false"
- wget -qO- "http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false"
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade XWiki Platform to a patched version where this vulnerability is fixed.
- Upgrade to one of the fixed versions: 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17.
There are no known workarounds other than upgrading, so applying the patch is critical to prevent exploitation.
The patch includes improved path normalization and handling of leading slashes in resource paths to prevent directory traversal attacks.