VYPR
← All advisories
Critical severityNVD Advisory· Published May 20, 2026

CVE-2026-33137

CVE-2026-33137

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated XAR import via REST endpoint allows attackers to create/update documents, potentially leading to RCE.

Vulnerability

XWiki Platform versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 are affected. The POST /wikis/{wikiName} REST endpoint executes a XAR import without authentication or authorization checks [2]. Refactoring in XWIKI-21071 inadvertently removed the admin right check [2]. An attacker can import a XAR containing any document, including XWiki.XWikiPreferences to grant programming rights [2].

Exploitation

An unauthenticated attacker can send a POST request to /wikis/{wikiName} with a crafted XAR file. No authentication or prior access required. The endpoint imports the XAR, creating or updating documents as guest user [3]. Attack steps: craft a malicious XAR archive with a page that grants programming rights, then POST it to the endpoint.

Impact

Successful exploitation allows an attacker to create or update arbitrary documents in the target wiki. By importing a XAR containing a XWiki.XWikiPreferences page that grants programming rights, the attacker can gain full administrative control and execute arbitrary code on the server [2][3]. This can lead to complete compromise of the wiki instance.

Mitigation

The vulnerability is patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1 [1][3]. No workarounds exist except blocking POST requests to /wikis/{wikiName} at an HTTP proxy [3]. Users should upgrade immediately.

References
  1. XWIKI-23953: Improve XAR import · xwiki/xwiki-platform@4b7b95b
  2. Guest user can import a XAR through the /wikis/{wikiName} REST endpoint
  3. Unauthenticated XAR Import via REST /wikis/{wikiName}

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
4b7b95b79256

XWIKI-23953: Improve XAR import

https://github.com/xwiki/xwiki-platformThomas MortagneJan 27, 2026via nvd-ref
commit
4 files changed · +55 27
  • xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/wikis/WikiResourceImpl.java+13 0 modified
    @@ -36,6 +36,9 @@
 import org.xwiki.rest.internal.DomainObjectFactory;
 import org.xwiki.rest.model.jaxb.Wiki;
 import org.xwiki.rest.resources.wikis.WikiResource;
+import org.xwiki.security.authorization.AccessDeniedException;
+import org.xwiki.security.authorization.ContextualAuthorizationManager;
+import org.xwiki.security.authorization.Right;
 import org.xwiki.wiki.descriptor.WikiDescriptorManager;
 import org.xwiki.wiki.manager.WikiManagerException;
 
@@ -56,6 +59,9 @@ public class WikiResourceImpl extends XWikiResource implements WikiResource
     @Inject
     private WikiDescriptorManager wikis;
 
+    @Inject
+    private ContextualAuthorizationManager authorizationManager;
+
     @Override
     public Wiki get(String wikiName) throws XWikiRestException
     {
@@ -74,6 +80,13 @@ public Wiki get(String wikiName) throws XWikiRestException
     public Wiki importXAR(String wikiName, Boolean backup, String historyStrategy, InputStream is)
         throws XWikiRestException
     {
+        // Importing a XAR require wiki admin right
+        try {
+            this.authorizationManager.checkAccess(Right.ADMIN, new WikiReference(wikiName));
+        } catch (AccessDeniedException e) {
+            throw new WebApplicationException(e.getMessage(), Response.Status.FORBIDDEN);
+        }
+
         try {
             if (!this.wikis.exists(wikiName)) {
                 throw new WebApplicationException(Response.Status.NOT_FOUND);
  • xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-docker/src/test/it/org/xwiki/attachment/test/ui/docker/WikisIT.java+42 0 modified
    @@ -19,9 +19,16 @@
  */
 package org.xwiki.attachment.test.ui.docker;
 
+import java.io.InputStream;
+
+import org.apache.commons.httpclient.HttpStatus;
 import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.xwiki.model.reference.LocalDocumentReference;
 import org.xwiki.model.reference.WikiReference;
+import org.xwiki.rest.model.jaxb.Page;
 import org.xwiki.rest.resources.wikis.WikiResource;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.docker.junit5.WikisSource;
@@ -60,4 +67,39 @@ void authenticateOnPathWiki(WikiReference wiki, TestUtils setup) throws Exceptio
             get.releaseConnection();
         }
     }
+
+    @Test
+    void testImportXAR(TestUtils setup) throws Exception
+    {
+        // Try as guest
+        setup.setDefaultCredentials(null);
+
+        try (InputStream is = this.getClass().getResourceAsStream("/Main.Foo.xar")) {
+            PostMethod post = setup.rest().executePost(WikiResource.class, is, "xwiki");
+            try {
+                assertEquals(HttpStatus.SC_FORBIDDEN, post.getStatusCode());
+            } finally {
+                post.releaseConnection();
+            }
+        }
+
+        // Switch to superadmin
+        setup.setDefaultCredentials(TestUtils.SUPER_ADMIN_CREDENTIALS);
+
+        try (InputStream is = this.getClass().getResourceAsStream("/Main.Foo.xar")) {
+            PostMethod post = setup.rest().executePost(WikiResource.class, is, "xwiki");
+            try {
+                assertEquals(HttpStatus.SC_OK, post.getStatusCode());
+            } finally {
+                post.releaseConnection();
+            }
+        }
+
+        Page page = setup.rest().get(new LocalDocumentReference("Main", "Foo"));
+
+        assertEquals("xwiki", page.getWiki());
+        assertEquals("Main", page.getSpace());
+        assertEquals("Foo", page.getName());
+        assertEquals("Foo", page.getContent());
+    }
 }
  • xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-docker/src/test/resources/Main.Foo.xar+0 0 renamed
  • xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/WikisResourceIT.java+0 27 modified
    @@ -20,7 +20,6 @@
 package org.xwiki.rest.test;
 
 import java.io.ByteArrayInputStream;
-import java.io.InputStream;
 import java.io.StringReader;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
@@ -29,7 +28,6 @@
 
 import org.apache.commons.httpclient.HttpStatus;
 import org.apache.commons.httpclient.methods.GetMethod;
-import org.apache.commons.httpclient.methods.PostMethod;
 import org.apache.commons.httpclient.util.URIUtil;
 import org.apache.commons.io.input.ReaderInputStream;
 import org.junit.Assert;
@@ -42,18 +40,15 @@
 import org.xwiki.rest.model.jaxb.Attachment;
 import org.xwiki.rest.model.jaxb.Attachments;
 import org.xwiki.rest.model.jaxb.Link;
-import org.xwiki.rest.model.jaxb.Page;
 import org.xwiki.rest.model.jaxb.PageSummary;
 import org.xwiki.rest.model.jaxb.Pages;
 import org.xwiki.rest.model.jaxb.SearchResult;
 import org.xwiki.rest.model.jaxb.SearchResults;
 import org.xwiki.rest.model.jaxb.Wiki;
 import org.xwiki.rest.model.jaxb.Wikis;
-import org.xwiki.rest.resources.pages.PageResource;
 import org.xwiki.rest.resources.wikis.WikiAttachmentsResource;
 import org.xwiki.rest.resources.wikis.WikiChildrenResource;
 import org.xwiki.rest.resources.wikis.WikiPagesResource;
-import org.xwiki.rest.resources.wikis.WikiResource;
 import org.xwiki.rest.resources.wikis.WikiSearchQueryResource;
 import org.xwiki.rest.resources.wikis.WikiSearchResource;
 import org.xwiki.rest.resources.wikis.WikisResource;
@@ -546,28 +541,6 @@ public void testGlobalSearch() throws Exception
         Assert.assertEquals(this.fullName, searchResults.getSearchResults().get(0).getPageFullName());
     }
 
-    @Test
-    public void testImportXAR() throws Exception
-    {
-        InputStream is = this.getClass().getResourceAsStream("/Main.Foo.xar");
-        String wiki = getWiki();
-
-        PostMethod postMethod = executePost(buildURI(WikiResource.class, wiki).toString(), is,
-            TestUtils.SUPER_ADMIN_CREDENTIALS.getUserName(), TestUtils.SUPER_ADMIN_CREDENTIALS.getPassword());
-        Assert.assertEquals(getHttpMethodInfo(postMethod), HttpStatus.SC_OK, postMethod.getStatusCode());
-
-        GetMethod getMethod = executeGet(buildURI(PageResource.class, wiki, Arrays.asList("Main"), "Foo").toString(),
-            TestUtils.SUPER_ADMIN_CREDENTIALS.getUserName(), TestUtils.SUPER_ADMIN_CREDENTIALS.getPassword());
-        Assert.assertEquals(getHttpMethodInfo(getMethod), HttpStatus.SC_OK, getMethod.getStatusCode());
-
-        Page page = (Page) unmarshaller.unmarshal(getMethod.getResponseBodyAsStream());
-
-        Assert.assertEquals(wiki, page.getWiki());
-        Assert.assertEquals("Main", page.getSpace());
-        Assert.assertEquals("Foo", page.getName());
-        Assert.assertEquals("Foo", page.getContent());
-    }
-
     @Test
     public void testAttachmentsNumberParameter() throws Exception
     {

Vulnerability mechanics

Root cause

"Missing authorization check in the XAR import REST endpoint allows unauthenticated document creation or modification."

Attack vector

An unauthenticated attacker sends a POST request to `/wikis/{wikiName}` with a XAR archive in the request body. The endpoint invokes `importXAR()` without verifying the caller's identity or rights [patch_id=876970]. Because no authentication or authorization check is performed, any attacker who can reach the XWiki REST API can create or overwrite arbitrary wiki documents. The advisory confirms that no authentication or authorization checks existed prior to the fix.

Affected code

The vulnerable code is in `WikiResourceImpl.importXAR()` within `xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/wikis/WikiResourceImpl.java`. The method accepted a POST to `/wikis/{wikiName}` and performed a XAR import without any authorization check [patch_id=876970].

What the fix does

The patch injects a `ContextualAuthorizationManager` into `WikiResourceImpl.importXAR()` and calls `authorizationManager.checkAccess(Right.ADMIN, new WikiReference(wikiName))` before proceeding with the import [patch_id=876970]. If the current user lacks ADMIN right on the target wiki, an `AccessDeniedException` is caught and re-thrown as a `403 Forbidden` response. This closes the vulnerability by ensuring only authenticated users with administrative privileges on the wiki can trigger a XAR import.

Preconditions

  • networkAttacker must be able to reach the XWiki REST API endpoint /wikis/{wikiName}.
  • inputAttacker must supply a valid XAR archive in the POST body.

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.