CVE-2026-23734
Description
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in XWiki Platform's ssx and jsx endpoints allows reading configuration files, including superadmin password, via leading slash in resource parameter.
Vulnerability
A path traversal vulnerability exists in the ClassLoaderUtils.resolveResourceName method of XWiki Platform. The fix for CVE-2025-55748 was incomplete; the method only checks for ../ sequences but does not handle leading slashes (/). An attacker can supply a resource parameter starting with / followed by ../ to bypass the check and traverse directories. This affects the ssx and jsx endpoints. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 are vulnerable [2][3].
Exploitation
An attacker with network access to the XWiki instance can send a crafted HTTP request to an ssx or jsx endpoint, such as /bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false. The leading slash causes the normalization to produce a path that escapes the intended resource directory, while the check for ../ is not triggered because the path starts with / [2][3]. No authentication is required.
Impact
Successful exploitation allows reading arbitrary files from the server, most critically the WEB-INF/xwiki.cfg configuration file, which may contain the superadmin password. This leads to full compromise of the XWiki instance, including data disclosure and potential privilege escalation [2].
Mitigation
The vulnerability has been patched in XWiki Platform versions 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 [1][3]. No workaround is available; upgrading to a fixed version is the only mitigation [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 18.1.0-rc-1 | < 17.10.3 | < 17.4.9 | < 16.10.17
Patches
1a979cafd89f6XWIKI-23898: Improve classpath resolution for Tomcat
2 files changed · +21 −5
xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java+15 −5 modified@@ -47,20 +47,30 @@ private static String resolveResourceName(String prefixPath, String resourcePath fullPath = resourcePath; // Prevent access to resources from other directories - // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible - // and be able to reuse the normalized result - Path normalizedResource = Paths.get(fullPath).normalize(); + // TODO: find or implement something closer to Servlet ClassLoader behavior to be as accurate as possible + // and be able to reuse the normalized result. Not so easy since the various applications servers can use + // different logics. + + // On Tomcat, all leading / have no effect, contrary to Paths#normalize() + int index = 0; + while (index < fullPath.length() && fullPath.charAt(index) == '/') { + ++index; + } + String normalizedPath = fullPath.substring(index); + + Path normalizedResource = Paths.get(normalizedPath).normalize(); if (normalizedResource.startsWith("../")) { throw new IllegalArgumentException(String.format( "The provided resource name [%s] is trying to navigate out of the mandatory root location", - resourcePath)); + fullPath)); } } else { fullPath = prefixPath + resourcePath; // Prevent access to resources from other directories // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible - // and be able to reuse the normalized result + // and be able to reuse the normalized result. Not so easy since the various applications servers can use + // different logics. Path normalizedResource = Paths.get(fullPath).normalize(); if (!normalizedResource.startsWith(prefixPath)) { throw new IllegalArgumentException(String.format(
xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java+6 −0 modified@@ -85,6 +85,8 @@ void getResource() assertSame(this.resouceURL, ClassLoaderUtils.getResource(this.classLoader, RESOURCE_NAME_BACK)); assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "..")); + assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "/..")); + assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "////..")); assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "./..")); assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "resource/../..")); @@ -106,6 +108,10 @@ void getResourceAsStream() assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "..")); + assertThrows(IllegalArgumentException.class, + () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "/..")); + assertThrows(IllegalArgumentException.class, + () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "///..")); assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "./..")); assertThrows(IllegalArgumentException.class,
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
3News mentions
0No linked articles in our index yet.