Executive Summary

CVE-2026-33137 is a critical vulnerability in the XWiki Platform's REST API. Specifically, the POST /wikis/{wikiName} endpoint allows unauthenticated attackers to import XAR files without any authentication or authorization checks. This means an attacker can create or update documents in any target wiki without needing to log in or have permissions.

The vulnerability exists in versions prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1 and was caused by missing authorization checks during the XAR import process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact because it allows unauthenticated attackers to create or modify documents in the wiki, potentially leading to unauthorized data manipulation or insertion of malicious content.

Since the attacker does not need any credentials, the confidentiality, integrity, and availability of the wiki content are at high risk. An attacker could overwrite important documents, inject harmful data, or disrupt the normal operation of the wiki.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthenticated POST requests to the /wikis/{wikiName} API endpoint that allow importing XAR files without authorization checks.

To detect exploitation attempts on your network or system, you can monitor HTTP POST requests targeting the /wikis/{wikiName} endpoint.

For example, using command-line tools like curl or network monitoring tools, you can look for suspicious POST requests to this endpoint.

• Use a network packet capture tool (e.g., tcpdump or Wireshark) to filter HTTP POST requests to paths matching /wikis/*.
• Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'POST /wikis/'
• Check web server logs for POST requests to /wikis/{wikiName} endpoints without authentication headers.
• Example grep command on access logs: grep 'POST /wikis/' /var/log/apache2/access.log

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been patched in XWiki versions 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.

Immediate mitigation steps include upgrading your XWiki Platform to one of these patched versions.

If upgrading immediately is not possible, you can block POST requests to the /wikis/{wikiName} endpoint via an HTTP proxy or firewall to prevent unauthenticated XAR imports.

Additionally, verify that your XWiki instance enforces authorization checks on XAR imports, ensuring only users with wiki admin rights can perform these operations.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to create or update documents in the target wiki without any authentication or authorization checks, which can lead to unauthorized access and modification of sensitive information.

Such unauthorized access and modification can compromise the confidentiality and integrity of data stored in the XWiki platform, potentially violating compliance requirements of common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of sensitive data.

The vulnerability has been patched by adding authorization checks to ensure only users with wiki admin rights can perform XAR imports, thereby helping to restore compliance with these standards by enforcing proper access controls.

Useful 0 Not Useful 0